Our website is set to allow the use of cookies. For more information and to change settings click here. If you are happy with cookies please click "Continue" or simply continue browsing. Continue.

Law for Business

Knowhow - guidance - precedents

11 MAY 2015

Family business and data protection

Family business and data protection
From 'Family Business Matters', Spring 2015
By Nicholas Smith, Partner Veale Wasbrough Vizards

All businesses process and use personal information on a daily basis, from accessing employee records to collating customer contact information.

Processing this information appropriately is an important obligation for any business and is codified in the Data Protection Act (DPA). Effective data management is critical for family businesses. With the family's name above the door, it is vital to maintain a reputation of taking good care of customers and so this issue should not be overlooked.

Information security

Ensuring data security is one of the most important aspects of data protection compliance. Loss of personal data can cause devastating reputational damage.

An information security breach could result in fines of up to £500,000 being ordered by the Information Commissioner's Office (ICO). Individuals also have a right to claim compensation if their DPA rights have been breached.

To ensure all personal data is kept secure, family businesses should have a data protection policy that sets out preventative measures for securing information (such as the use of encryption and other security technology), particularly when staff are working from home or using their own devices for work.

Information rights to personal data

The DPA gives individuals various rights regarding information that is held about them by an organisation.

Individuals have the right to access this personal data by making a subject access request (SAR).

If a SAR is received it must be complied with within a strict timeframe, and the information requested must be supplied unless an exemption to disclosure applies. 'Embarrassing' emails will not be exempt and so family businesses should ensure their policies and training procedures make clear that unprofessional or rude emails may be disclosed.

Enforcement action

A family business with adequate data protection policies and procedures will often be able to present these as mitigation in the event that something goes wrong.

Robust policies that are circulated and enforced demonstrate that the business manages data carefully and that a breach was simply a 'one-off'. The ICO often cites a lack of procedures when explaining why it has issued a fine.

As part of their data protection policies, family businesses should appoint a data protection officer (DPO). Policies should name the DPO so that everyone knows who holds overall responsibility for data protection in the business and how suspected breaches should be reported.

The right to know

The DPA requires businesses to clearly inform individuals how their personal data is used, including what information is collected and who it is shared with.

This information is usually included in a 'privacy notice'. This should be displayed prominently, for example on the business' website and in staff handbooks. Anyone who makes a SAR should also be given the privacy notice.

Stay compliant

Family businesses pride themselves on being adaptable. Working with your family often means that you understand one another and can cut through bureaucracy to make decisions quickly and maintain your competitive advantage. A robust stance on data protection will ensure that family businesses are best placed to capitalise on their reputation and relationship with customers and clients.

For a template data protection policy specifically tailored for family businesses and for data protection training and audits, please contact Andrew Gallie on 0117 314 5623 or at agallie@vwv.co.uk
Jordan Publishing Health and Safety Management

Jordan Publishing Health and Safety Management

"The manual is a must for any employer that needs clear practical advice on managing health and...

Available in Lexis®Library
Companies Limited by Guarantee

Companies Limited by Guarantee

The only book available that deals exclusively with such companies

Available in Lexis®Library