Ask the Commissioner: Data Protection Tips for Small Businesses

As a small business owner, you have a lot to contend with. A master of many skills, you’ll wear many hats. You’re an ‘Accountant’ when managing your finances, you sometimes don your ‘Marketer’ hat for getting your brand noticed. You often wear your ‘Caregiver’ hat to ensure your staff remain happy and engaged and to maintain the smooth running of your business, you’ll also sport your Operations cap often too.

With so many things to consider, plates to spin, hats to wear and business as usual demands on your radar, it can be easy to let certain things slip.

Data Protection could be one of those matters on your to-do list that you’re not sure where to begin with and as such, you’re not really sure if you are keeping up-to-date with your obligations as business owners.

The Jersey Office of the Information Commissioner understands that it can be a challenge to keep on top of your obligations as data controllers and data processors, but help is at hand.

If you visit our dedicated resource zone especially for organisations that includes a variety of handy tools and downloads such as how-to guides, what to do when you encounter a data protection breach and how to handle subject access requests (amongst other resources).

Having worked in data protection for 18 years, there are a few handy tips I’ve learnt that are incredibly useful for small businesses.

Information Commissioner Paul Vane’s Five Top Tips for best Data Protection Practice

1.Passwords
Protect your customer and staff data by ensuring any documents that contain personally identifiable or sensitive data, are password-protected. Make sure the passwords you use to access these documents are different for each and not easily guessed by others.

2.Privacy & Security Settings
When you sign up to use new apps and tools that help you and your business, you are often asked to click ‘accept our privacy terms’. But when was the last time you actually read these terms? It’s vital that you understand what kind of access you are giving these tools and apps, where your business data will be stored and how much of your data they can see.

3.Firewall, VPN, Antivirus
These aren’t just tech terms. This trio is, in fact, the backbone of a strong defence to protect your data. A firewall keeps your network safe from intruders and the antivirus software ensures you don’t open or download anything that could include a threat to your data or system. The VPN (virtual private network) allows you to surf the net while using a public wi-fi connection and avoid anyone else on that network from snooping at your web search history.

4.Educate
Good data protection practice doesn’t just stop with the business owner. It is the responsibility of all of your team. Anyone that gathers, handles or processes customer or staff data should be aware of their data protection obligations. Educate your team about the best way to store your data and when and why to disclose to others outside your organisation. Remember the Data Protection (Jersey) Law 2018 is based around the following six principles of ‘good information handling’ and anyone that processes personal information must ensure it is:

  • Used fairly, lawfully and transparently.
  • Used for specified, explicit purposes.
  • Used in a way that is adequate, relevant and limited to only what is necessary.
  • Accurate and, where necessary, kept up to date.
  • Kept for no longer than is necessary.
  • Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

5.Keep it Simple

Much of data protection compliance is about adopting a common-sense approach. The Data Protection (Jersey) Law 2018 may seem daunting if you have never embarked on a data protection compliance journey before. But if you stick to the basics, adopt the six data protection principles, and treat others’ information as if it were your own prized possessions, then you will find you will be a long way down the road to compliance, and in good shape to protect your company’s most valuable asset…its data!

If you or your business process personal information then by law, you must be registered with our office and know your obligations under the law to make sure your customer and staff information is protected.

Our office is here to help businesses, charities, clubs and associations of all sizes navigate the data protection landscape to provide the people of Jersey with the highest standards of privacy and data protection. If you or your team has a data protection question or would benefit from some guidance, please call our office on 01534 716530. You can also explore our toolkit specifically designed for small organisations.