Topic overview

Business data protection

Business data protectionBusiness data protection helps secure customer details, financial information, sales figures and other key business data, protecting one of your most important assets.

Good business data protection protects your valuable information, as well as ensuring you comply with relevant data protection rules and legislation. You should think about business data protection alongside your backup options to ensure your data is safe, even if you suffer a data protection breach or the loss or breakdown of your IT system.

What would a data protection breach cost you?

Problems with data could cost your company. For instance:

  • Your reputation could be damaged if customer data was leaked to a competitor.
  • Failure or loss of your customer database might leave you unable to carry out sales and marketing activity.
  • Failure to adhere to data protection rules could result in legal action and a substantial fine. Under the General Data Protection Regulation (GDPR), the Information Commissioner can impose fines of up to 4% of global annual turnover or €20m, whichever is higher.

You need safeguards, policies and systems to stop a data protection breach.

Practicing good business data protection

The first step to ensuring good business data protection is to identify all data in your business and where it's stored. Consider all places your data may be stored. It is increasingly likely that company data is also held outside your main IT system - on mobile devices or cloud services. Once you have identified all the data you hold, you can then evaluate its sensitivity and decide what steps to take to comply with data protection rules. A data protection audit is an ideal way to consolidate and organise this process.

Under the GDPR some organisations may have to appoint a data protection officer (DPO). A DPO can be an existing employee, a new hire, or the position can be contracted out. While not all organisations (especially smaller businesses) will require a DPO, it is good practice to have one person with specialist data protection knowledge within your business to oversee data protection compliance, conducting audits, data protection impact assessments for new projects, training relevant staff and raising awareness of data protection.

It's important you keep data accurate and up to date. Maintaining outdated records can be as bad as having no data at all, so implement procedures for regularly reviewing and updating records.

Duplicate records can be problematic too. You might end up mailing customers twice, or be unable to build up a picture of people's purchasing history. Many database systems allow you to identify duplicates automatically.

If you store data about people - like customers or employees - you'll need to provide them with access whenever they request to see it, indicate how you're intending to use it and who the data might be shared with. Many businesses do this by establishing an area on their website where customers can log in, update their details and indicate their email marketing preferences.

Data protection rules

The GDPR is the key piece of legislation relating to how your business stores and uses data. It applies to any personal information you store about living individuals from the EU (regardless of whether or not your business is in the EU).

If the GDPR applies to your business, there are a number of steps you must take to comply with the data protection rules. Notably, you must:

  • have a lawful basis for using personal data such as consent, contractual or legal obligations;
  • tell people how you use the data you store about them and let them see it;
  • tell people about their rights under the GDPR and assist them, where necessary, in exercising them (eg using clear, accessible privacy notices);
  • let people opt-out of having their data used by you;
  • keep the data secure and up to date;
  • only use the information for the purpose(s) for which it was originally obtained or at least only for purposes compatible with the original purpose
  • only keep the information for as long as you need it;
  • document everything, particularly your uses of personal data, legal bases for processing it, data sharing and data retention;
  • take a ‘data protection by design’ approach, factoring in data protection to all projects involving the use of personal data; and
  • raise awareness of good data protection practice throughout your business, including providing training where appropriate.

Complying with the GDPR is largely common sense, but you should seek advice if you're at all unsure about your obligations.

Good business data protection

Put systems, procedures and policies in place to reduce the chance of a data protection breach. You'll want to ensure that sensitive data is best protected:

  • Store data securely. Control user access levels so only people who need access to that data can view and edit it.
  • Don't release data to the wrong people. For instance, run a security check before talking to customers about their accounts.
  • Be very wary when copying or transferring data. Encrypt data before sending it outside your business.
  • Document everything. This applies internally and externally. If personal data is transferred to another business for any kind of processing, a contract must be in place that meets the requirements set out in the GDPR.
  • Don't store important data where it can be easily stolen or lost. For example, don't store a list of customer addresses on your laptop.
  • Be transparent. Make sure that your employees and customers are kept informed about your use of their personal data and understand their rights and how to exercise them.
  • Review and improve. Regularly review everything to do with data protection - your privacy notices, your policies and procedures, your use and retention of data, your contracts and documentation, and your training.

Ultimately, you need to create a culture of responsibility to ensure strong business data protection. This doesn't just mean writing procedures for your staff to follow. It also means offering guidance and training so they understand why data protection rules matter.