Data Protection: 8 questions to ask about your business

We’ve all done it…

• Downloaded information on to a shared drive or memory stick so we can work on something remotely.
• Shared documents with clients and not thought about how that information could be used when it leaves our control.
• Shared information with a password and not thought about how it has been shared.
• Not changed group passwords for documents or systems after someone leaves, meaning they could still potentially access data…

Data protection is a topic no one particularly likes to think about but it can have real consequences for your business.  If we’re honest, we often only think about it after it becomes an issue e.g. we’ve caught someone read handed and we need to discipline them.

Data Processor or Controller: the low-down

The Data Protection Act makes a clear distinction between being a Data Controller and a Data Processor:

• A Data Controller is someone who (either alone or jointly or in common with other people) determines the purpose for which and the manner in which any personal data are, or are to be, processed.
• A Data processor means any person other than an employee of the data controller, who processes the data on behalf of the data controller.

Asleep yet?  I’m not surprised.  These two roles do mean that there are different uses for data and different rules you need to follow to stay on the right side of the law. More information and guidance on this can be found on the Information Commissioner’s website.

Data best practices: 8 questions to ask about your business

Whatever your role is with data and information there are 8 questions to ask about your business based on data protection ‘best practice’ and to help you assess whether you are doing what you should do under the Data Protection Act (as well as protecting your business and client data).

• What is the information that is being used?
• How will the data or information be used?
• Who will it be shared with and how?
• What is your company policy on data protection and who can access information?
• What is your policy on downloading information and what it is acceptable to download? If information is downloaded, is it onto encrypted memory sticks?
• If so what is the process around them and how often is information cleared from them?
• How regularly you change passwords and the process?
• How you deal with data breaches under your disciplinary policy.

What if there is data breach

If you have a data breach and need to dismiss someone who you have reason to believe has taken confidential data, then this is not just an employee issue: it is also a criminal offence and can be reported to the Information Commissioner.  They then investigate and deal with the prosecution and the employee could face dismissal as well as a fine and criminal record. Scary, but an added incentive to have a full data protection policy that everyone understands.

If you are having issues with confidentiality, or how data protection may be the cause of your business headache, talk to us here at HR180 where our team of outsourced HR superheroes are able to assist.  For more information get in touch – details below.