Starting a new business? New to data protection? No problem!

“Dear Commissioner, I’m a sole trader getting close to launching my first business, but I have no idea what I need to do when it comes to data protection. Where do I even begin?” Anne King, Operations Director at the Jersey Office of the Information Commissioner, gives her top tips for what to consider when it comes to data protection for new small business owners.

 

When getting a new business venture off the ground, we know there are a hundred things to consider and many plates you need to spin before you’ve even had your first customer or client through the door. In Jersey, one of the often-overlooked factors of establishing a small business, whether as a sole trader, as a partnership or limited company, is consideration for the personal data you’ll no doubt be collecting.

Customer information, employee details, even contact or payment details for suppliers and contractors are all data points you’ll need to take responsibility for looking after once you’ve established your business. Under the Data Protection (Jersey) Law 2018, if you are using people’s personal data, as well as a Business Owner/CEO/Entrepreneur/Start-up Extraordinaire, you’ll also gain the swish new title of Data Controller.

 

Firstly, what is Data Protection and why is it important?

Data Protection is about the fair, transparent and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations.

Protecting and caring for people’s personal data is vital to protect their privacy and in turn, their wellbeing. It’s also a legal requirement under the Data Protection (Jersey) Law 2018 (that’s our local version of the European General Data Protection Regulation, also known as the ‘GDPR’). If you don’t look after this information properly, and something happens (e.g. the information is lost or stolen) this can have significant effects for individuals. It can also put your organisation at risk of complaints and investigative action from our office.

 

Who needs to comply with the Jersey Data Protection Law?

All those who use information about individuals for any reason other than their own personal, family or household purposes, need to comply with the law. The law takes a flexible, risk-based approach which encourages those that use (for example, collect, record or store) people’s personal data, to think carefully about how and why they need it, use it and for how long they need to keep it. You need to make sure you look after that personal data and keep it safe and secure and that only the right people in your organisation have access to it.

 

Top Tips for Using Personal Data:

  • Think ‘data protection’ from the moment you collect customer, volunteer, staff, member or supplier personal data. It’s easier to protect than correct!
  • Know and make sure you can explain to individuals:

» what you are collecting

» why you need it

» how you are using it

» what measures you have in place to keep it safe

  • Only process what you really need. Information minimisation reduces risk.
  • Treat all personal data with the same respect and security as you would wish for your own personal data.
  • Carefully consider who, how, what and why you need to share personal data before doing so. If it is not necessary to do so, then don’t.
  • Make sure that you are transparent about how you are using people’s personal data. Most organisations use something called a privacy policy/data protection statement to give this information to individuals and many post it on their website. If you don’t have a privacy policy, create one using our handy template.

 

People and Data Protection:

  • Train, train, train. Data protection training and awareness for all staff, volunteers and executives is fundamental. They need to know what they can/cannot do with the information entrusted to them and what to do if something happens so they can support your organisation to maintain the highest data protection standards.
  • Check who has access to personal data to ensure that only those who need access, have access.

 

Managing Personal Data:

  • Consider turning off the ‘auto-complete’ function for email addresses. How many times have you mistakenly sent an email to the wrong person? (Remember this may be a personal data breach under the law and may be reportable to our office.)
  • Use the BCC field when sending emails to more than one recipient. Avoid the risk of sharing personal data with someone who shouldn’t have it.
  • Think twice before forwarding emails as they may contain information from previous correspondence that shouldn’t be shared.
  • Take extra care to protect and secure sensitive information, such as medical, racial, ethnic, religious or criminal record details.
  • Take care not to leave paperwork containing personal data in view of others.

 

 Storing and Assessing Personal Data:

  • Keep a personal data breach log and make sure it’s kept up to date. Review it regularly to identify if there is a pattern of breaches that need to addressed. Consider if any breaches need to be reported to our office.
  • Make sure that any IT security / software updates are implemented in a timely manner.
  • Finally – only keep personal data for as long as it is necessary and safely destroy it when it is no longer required.

 

Always remember that we want you to be data protection confident. If you’re in doubt and not sure about something related to data protection, have questions, or need advice, our team at the Jersey Office of the Information Commissioner is available to help you. You can call us on 716530, email us at enquiries@jerseyoic.org or visit our dedicated resource room that includes a variety of handy toolkits, checklists, templates and how-to-guides.

 

If you have a question to submit for our Ask the Commissioner feature, you can email us at communications@jerseyoic.org and use the subject title “Ask the Commissioner”.