What is Data Compliance?
Data compliance is a governance structure that ensures you control data in your business while meeting legislative regimes such as GDPR, Data Protection Act 2018, CCPA etc.
In a business environment where data volumes continue to grow rapidly, compliance is more important than ever. As technology continues to develop and advance significantly (along with associated data security concerns), the need for a comprehensive compliance regime to minimise risks becomes vital.
Compliance needs have also become increasingly complex in order to meet both fast moving changes in the business environment and global regulatory changes. Data compliance should therefore be a business operations priority – to monitor, control and manage, or to mitigate risks. Implementing business processes that are data compliant will support cost reduction, minimise risk and support business growth.
What is a Data Protection Officer (DPO)?
DPOs monitor internal compliance processes, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).
The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. They can be either an employee or a retained external resource.
Appointing a DPO can help you demonstrate compliance in a tender process and are part of the enhanced focus on accountability set out in GDPR.
When do you need a DPO?
Under the UK GDPR law, you must appoint a DPO if:
- you are a public authority or body (except for courts acting in their judicial capacity)
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking)
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
Requirements apply to both Data Controllers and Data Processors.
You can appoint a DPO if you don’t fit these mandatory requirements. Many organisations who contract with public sector organisations are required to provide evidence of good data protection practices to meet the tender obligations. Likewise larger organisations or global entities with complex data management requirements will have a DPO as part of their legal or compliance team.
Regardless of whether the UK GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the UK GDPR law. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation’s data protection governance structure and to help improve accountability.
If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.
What are the responsibilities of the data protection officer?
1. Uphold data protection laws and practices
Your DPO needs to be a suitably qualified and experienced individual who has an understanding of the regulations that apply to your business, and who can support the “privacy by design” principle laid out in GDPR. To do this they will need to understand the business and the technical infrastructure in your business
2. Monitor compliance
Overseeing the data management processes and developing the strategies required to ensure compliance is maintained by third parties, remote workers and freelance resource. They will oversee sensitive data handling activities to provide guidance on minimising risks.
3. Support business operations and data handling
The DPO will support your business as it scales helping you to prepare for increased volumes of data, growing numbers of remote or freelance workers. They will understand associated risks and will review the data protection requirements for all commercial agreements.
4. Notify teams and authorities of data breaches
The DPO will manage strategy for dealing with a data incident or breach and in the event of an incident lead the team to resolve the breach. They have responsibility for managing the relationship with regulatory authorities and if required individuals at risk. After the event they will hold the lessons learned and oversee process improvement and preventative remedial actions.
5. Foster a security-aware culture
The DPO will oversee a strategy designed to build privacy and data security awareness in the organisation. This will be a combination of dedicated training, awareness messaging and ongoing support to the business.
What are the website data compliance basics every business needs to know?
Website compliance is something often overlooked and I frequently see websites that are missing key elements that are required not just by GDPR by The Companies Act too.
Every Business website needs the following:
- A cookie banner that provides information on the type of cookies used with an option to opt out before cookies are enabled on the site. Cookie banners that just offer an acceptance are not compliant.
- If a company are trading as a Limited company they must clearly show their registered company name, number and registered address as it appears on the Companies House database.
- Business must provide contact information that includes non-digital options such as a telephone number or a correspondence address, if different to the registered address.
- Businesses should list trade body memberships and accreditations on the website especially if these bodies are providing accreditations.
- VAT registration number where applicable
- Under the Direct Selling Regulations Act, businesses must provide refund and returns policies. It is also a good idea to include complaints process information.
- A copy of the terms and conditions of business should be provided on the website.
- If selling online, businesses must be transparent about payment options and provide clear product or service descriptions. Customers must also be informed of their rights to cancel for both products and services.
- All websites should have an SSL certificate especially if selling online to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and convey trust to users. Additionally Google marks websites without SSL as unsecure (which downgrades your site authority for SEO).
- While not mandatory, Modern Slavery, Corporate Social Responsibility and other similar policies are often added to a website.
- All websites should be evaluated against accessibility regulations to support users with differing abilities e.g. ensure alt text on images is added to support screen readers for users with sight impairments. I recommend running all sites through https://www.webaccessibility.com/
When it comes to email marketing, what are the data compliance 101s?
Be transparent – tell your subscribers how often you will email, type of content and always invite them to unsubscribe if they want to. Most email tools with automatically include this on every email.
- Be clear about how you collected their email address – through a sign-up form on the website, an event, are they a customer?
- Regularly review lists, run re-engagement campaigns – unengaged subscribers cost you money as prices increase per subscriber block. Additionally GDPR requires you to actively manage data to ensure it is up to date.
- Grow lists organically – buying lists is a risk as you will never know what consent has been granted and for what purpose. Legitimate interest cannot be a valid legal basis in this instance.
What are the differences in data protection if you trade internationally?
GDPR pertains to individuals living in the EU, EEA and the UK and therefore individuals in other locations are not covered by this legislation. However, there are over 100 countries that now have their own privacy regulations which must be observed. Also it is important to understand that businesses outside of the EU, EEA or UK that are targeting trade within these regions must segment their data so that GDPR protections are applied to the relevant individuals.
What questions are you most frequently asked by your customers? / What do you help them with?
What do I need to do about GDPR and email marketing?
How do I use this data I have got from my CRM/social media/bought list in my marketing?
Leveraging the value of the data in a business for marketing purposes in a GDPR compliant way is always the source of the most questions.
Tell us a little bit about you and how you got into Data Compliance.
I have a background in project management having worked in organisations as diverse as TUI, TfL, Jaguar Cars and The Medical Research Council. Additionally, I had worked in a dot com start up and been a partner in a start-up recruitment firm that was subsequently sold. I had worked on large scale business transformation and Tech projects including mass data migrations and was familiar with the Data Protection Act 1988 (the forerunner to the DAP 2018).
The birth of my twins brought many challenges as a working parent and after too many difficulties with childcare I opted to Freelance, initially offering general VA services while I considered my options.
In late 2017 as I was reading about GDPR for my own business I started to answer questions and in early 2018 started to deliver talks on the requirements at a range of networking groups and quickly became known as the person with a range of knowledge. I have since achieved the cDPO, CIPP/E and CIPM accreditations. This year I plan to achieve the CIPT accreditation.
Jo Brianti is our “go to person” for all things related to data compliance – she is a director of Koffeeklatch, based in West London. Please do reach out to her for expert advice regarding data compliance.