Chamber President, Paul Daine, welcomed the audience to the final Breakfast Matters of 2017, exclaiming how great it was to see so many in attendance. He then introduced the guest speaker for the morning, James Hayward from the Information Commissioner’s Office (ICO), who was broaching the subject on everyone’s minds – data protection.
Since the first data protection act in 1984, responsibilities have been placed on businesses to ensure the accuracy and security of the data they hold. At the ICO, they regulate the implementation of the act, and when things go wrong they have the power to impose enforcement action, such as the levying of fines. James reflected on some of the high-profile organisations that have been fined in the past such as TalkTalk and Sony after they failed to protect personal information. However, the ICO see problems at smaller firms too; in 2016 a data supply company was fined £20,000 after a scheme was uncovered where they sold personal information that was later used for spam marketing campaigns.
When data protection goes wrong there can be serious consequences such as damaged reputation, regulatory action from the ICO and the effected individuals can also suffer serious damage or distress as a result. As of 25th May 2018, data protection is going to change with the introduction of the General Data Protection Regulation (GDPR) which will build upon the current data protection act, but James explained that if you already know your data protection responsibilities it will be an evolution not a revolution.
Being a member of the enforcement team at the ICO, James has investigated or overseen hundreds of data protection breaches, so sees the most frequent mistakes and knows what constitutes best practice. With this in mind, he delved into seven key topics to help business owners in the room get to grips with data protection.
Data protection obligations begin with people. Currently, if a company holds personal data about a person, that individual has the right to request a copy of that data and the company must respond within 40 days. The company also has the right to charge a maximum of £10 for processing the request. However, under GDPR the rules will change; individuals will still have the right to request a copy of the data, however businesses will no longer be able to charge, and the response timescale will be shortened to one month. An individual also has the right to request that data is rectified, erased or be informed about how it is going to be used.
GDPR requires companies to be transparent with what they do with people’s information, and this is typically provided in a privacy notice which should be concise, transparent, intelligible, free and easily accessible. A good time to provide a privacy notice is when information is being collected, or alternatively it can be published on a businesses website.
Data Protection Officers
At present, many companies have a named Data Protection Officer, who is responsible for compliance with legislation, and typically responds to requests for personal information. Typically, a Data Protection Officer is employed by large organisations such as the NHS, but GDPR makes employment of a Data Protection Officer mandatory in some circumstances, such as if a company processes especially sensitive data.
Security of Data
James explained that the ICO recognises that data breaches do occur, and they may not always be the fault of the business, however encouraged the audience to take steps to make them less likely by doing the following:
- Provide training for staff covering the basics of data protection
- Create policies detailing expectations about how staff should handle data
- Think carefully about what electronic devices are used, and if possible provide them to staff
- Always use encryption on electronic devices to create an additional layer of security
- Ensure that any paper records are locked away
All of these steps are important in showing that you have good data protection practices in the work place. If unfortunate enough to experience a data breach, it must be reported to the ICO within 72 hours and there is a dedicated phoneline to advise those who have had a breach. To put things into perspective, James told the audience how only the most serious cases are investigated, and only 1% of 2,500 cases ended with a fine this year.
Sharing Information with other Organisations
James is often asked about whether personal info can be shared between two organisations, the answer in short is yes, but there are certain safeguards in place with the main one being consent. Getting consent from individuals is one of the most straightforward ways to be compliant, however GDPR will tighten the rules and consent will need to be freely given and well informed, as well as people having the right to withdraw their consent at any time. James added that a business can still share information with another business without explicit consent, however they must have a legal basis to do so.
Of course, businesses want to advertise their goods and services, but if they want to market directly to an individual there are some rules to take into consideration:
- Electronic Direct Marketing – when it comes to phone calls or emails, strict rules apply and a person must have given consent to be contacted in that manner. An easy way to check this is by referring to the telephone preference service, which allows people to register their numbers to opt out.
- Postal Direct Marketing – similarly, this is permission based and if an individual asks to be taken off a mailing list a business must be compliant and remove them with no exceptions.
Registration with the ICO
Anybody who processes personal information (which is almost everyone!) must register with the ICO. Currently the fee is £35 per year, or for businesses lucky enough to have a turnover above £25million the yearly fee is £500. Under GDPR, it is expected that three pricing tiers will be introduced:
- Tier 1 – £55 per year
- Tier 2 – £80 per year
- Tier 3 – £1,000 per year
Each of the seven topics covered by James likely set off a lot of different thoughts for the audience in relation to their own business, so he encouraged them to utilise all of the resources for SMEs on the ICO website and use the dedicated helpline if needed.
Next up for a quick chat with the audience about adult education was Alex McCann from Altrincham HQ, who went back to college himself this year. He shared that the aim for 2020 is having 15% of adults age 25-64 participating in life long learning, as many people consider education to be over after college and university, when in reality it would be great if we could all keep continuously learning.
Alex, who specialises in social media, got the fitness bug after dramatically decreasing his weight from 20stone, and this lead to his interest in taking a course to become a fitness instructor. After speaking with Trafford College and agreeing to join the course, Alex explained how he began to have doubts; “what if I’m the oldest in the class? Should I just stick to what I know? What if make a fool of myself? Will I have time when running a business? What if I fail?” But, in reality, it was an amazing experience and all of the doubts went away as Alex passed his course and is now a qualified fitness instructor! To end, Alex encouraged the audience to get back into learning, as it has been the highlight of his year.
It was then time for the business card draw, and the first winner of dinner at the Cresta Court’s Townfields restaurant was Chloe Leyland from Analysis Legal. Richard Whitehurst from Tutor Doctor won a free LinkedIn Health Check from Peter Collins, and Nigel Peacock from MeAndMyMates.com won a 12-month strategy plan from Mike Alleyne.
Paul welcomed the last new members of 2017:
- Chris Wicks – Bridgewater Financial Services Ltd
- Sim Goldblum – Maxpotenti Ltd
- Nigel Peacock – MeAndMyMates.com
Finally, Paul cast thoughts forward to the New Year and the first Breakfast Matters on 11th January, and wished everyone a lovely festive break.