Complying with Information Privacy and Protection Laws
In addition to the law, good information privacy and protection makes good economic sense because it saves you time and money. It also reveals to people that you care about their information, which can help to boost your reputation and brand.
More and more people are becoming aware of their personal information rights and how it’s being used, so any organization that wants to be trusted will need to get it right.
PrivCom ultimately has the power to issue fines but most of our work with organizations is focused on helping to get information privacy and protection right the first time around, through our training, events, and our support and advice services.
Keeping people’s personal information safe is key to getting them to trust the service you offer and, ultimately, your business.
Remember , whether you have staff or a sole entrepreneur, you’re responsible for protecting the personal information of (or information about) anyone who comes into contact with you – including your customers, suppliers and staff.
There’s no one-size-fits-all when it comes to giving information privacy and protection advice. Your business is unique and how you deal with personal information will be, too. You know your business best and this will help you decide what you do with the personal information that you hold.
Start with a list
You’ll probably have personal information saved on your phone, tablet or computer to enable you to do your job – such as the names and contact details of customers, members or clients. You may also have details of upcoming bookings or appointments, or other notes. If you can identify someone personally from something you have stored, then it’s personal information and you need to account for it.
Start by making a list of the personal information you have, or plan to collect, even if you don’t have much at first. For this list, you should be generalizing types of information such as ‘phone numbers of customers’, rather than listing actual phone numbers.
Information privacy and protection laws don’t apply when you’re using personal data for purely personal or household activity, so don’t worry about things like your family photo album and personal holiday planning calendar.
2. The Power of ‘why’
Creating a balance between what you want to do with people’s personal information, the benefits that it will bring to them or to society as a whole, and any harm that might be caused as a result is a top goal.
If you’re holding or using people’s personal information, it must always be fair as well as lawful. This means you should only use their information in ways they’d reasonably expect so, if you’ve got their personal information through means that are deceitful or misleading, then everything you do after that (whether you think it’s lawful or not) is unlikely to be fair.
You also need a valid reason or condition for using the personal information. Be sure to choose the best condition for the purpose and keep a record of your decision.
3. Think holistically with security embedded.
Check your security measures line up with the sensitivity of the data you hold. Put stronger security measures in place if the data poses a higher risk or is sensitive.
The measures you choose are up to you but could include things like locking filing cabinets and putting strong passwords on your devices.
4. Transparency is key!
To build trust it’s essential to explain to people why you hold their personal information, what you'll do with it, and how long you'll keep it before getting rid of it.
You should record this information in a document, describing your approach to information privacy and protection. This is known as a privacy notice.
You have to have a privacy notice before you collect any information from anyone. Use our privacy notice template and make sure you include everything you need to.
5. Beware of information access requests
By law, people have the right to know what personal information you hold about them. There are other rights, too, but one of the most commonly asked questions is how to deal with a request for this personal information, which is known as a subject access request (SAR).
Keep an eye out for our guide on how to deal with a request for information or information access request.
6. Prepare for the worst
If you lose personal information – such as in a cyber-attack, flood, fire or theft – it could be a potential personal data breach. If it’s likely to result in a risk to the people affected, you'll need to report it to us. We’re here to help.
Soon, we will publish a guide on how to respond to a personal data breach so you know what steps to take in an emergency.
7. Set reminders
Data privacy and protection compliance is a journey. We update our website regularly to help you take simple steps towards improving your information privacy compliance. By setting regular reminders to check our news and advice pages, you will remain aware of current events and best practices.