All businesses process and use personal information on a daily basis, from accessing employee records to collating customer contact information.
Processing this information appropriately is an important obligation for any business and is codified in the Data Protection Act (DPA). Effective data management is critical for family businesses. With the family's name above the door, it is vital to maintain a reputation of taking good care of customers and so this issue should not be overlooked.
Ensuring data security is one of the most important aspects of data protection compliance. Loss of personal data can cause devastating reputational damage.
An information security breach could result in fines of up to £500,000 being ordered by the Information Commissioner's Office (ICO). Individuals also have a right to claim compensation if their DPA rights have been breached.
To ensure all personal data is kept secure, family businesses should have a data protection policy that sets out preventative measures for securing information (such as the use of encryption and other security technology), particularly when staff are working from home or using their own devices for work.
Information rights to personal data
The DPA gives individuals various rights regarding information that is held about them by an organisation.
Individuals have the right to access this personal data by making a subject access request (SAR).
If a SAR is received it must be complied with within a strict timeframe, and the information requested must be supplied unless an exemption to disclosure applies. 'Embarrassing' emails will not be exempt and so family businesses should ensure their policies and training procedures make clear that unprofessional or rude emails may be disclosed.
A family business with adequate data protection policies and procedures will often be able to present these as mitigation in the event that something goes wrong.
Robust policies that are circulated and enforced demonstrate that the business manages data carefully and that a breach was simply a 'one-off'. The ICO often cites a lack of procedures when explaining why it has issued a fine.
As part of their data protection policies, family businesses should appoint a data protection officer (DPO). Policies should name the DPO so that everyone knows who holds overall responsibility for data protection in the business and how suspected breaches should be reported.
The right to know
The DPA requires businesses to clearly inform individuals how their personal data is used, including what information is collected and who it is shared with.
This information is usually included in a 'privacy notice'. This should be displayed prominently, for example on the business' website and in staff handbooks. Anyone who makes a SAR should also be given the privacy notice.
Family businesses pride themselves on being adaptable. Working with your family often means that you understand one another and can cut through bureaucracy to make decisions quickly and maintain your competitive advantage. A robust stance on data protection will ensure that family businesses are best placed to capitalise on their reputation and relationship with customers and clients.
For a template data protection policy specifically tailored for family businesses and for data protection training and audits, please contact Andrew Gallie on 0117 314 5623 or at firstname.lastname@example.org