Five Data Protection Essentials

June 2023

What we can't survive without

On Radio 4’s Desert Island Discs, guests are asked to choose eight songs, a luxury item and a book they couldn’t live without. The less glamorous version is Privacy Island Discs, where we choose just five essentials for data protection survival.

Although you might choose differently, here are my five ‘must haves’, plus a luxury item and a ‘good’ read.

Privacy Survival Kit

1. Understand our data

What key sets of personal data do we have and how are our people using them?

Without knowing this information we can’t get a of handle on any potential data protection risks. Even if we don’t fall under the mandatory requirement to create and maintain a ‘record of processing activities’, it never hurts to map out what data we have and create a record.

Even a simple version – of what data we hold, what it’s used for, who it’s shared with and how long we keep it. Down the line, this sort of reference tool is invaluable in the event of a data breach, privacy rights request or other issues.

2. Training, awareness & guidance

We can’t expect our people to protect personal data and keep it secure if we don’t guide them

We need to train employees in how we expect them to behave, empowering them to make sensible and reasoned decisions.

They need enough knowledge to handle most situations in their role, but raise a query when they’re unsure and raise an alarm when necessary. And often, what they need to know will differ depending on their role.

Good data protection training and clear data policies and procedures are essential. Clearly this can be proportionate based on organisational requirements and the type of data held.

As a starter;

  • Do people know what a suspected data breach looks like and the most common causes? Do they know what to do if they suspect one has happened? Do they know they won’t be punished if they make a mistake?
  • Do people know what privacy rights we all enjoy, such as the right of access, right to object, right to erasure? Again, do they know what to do if they receive a request?
  • Have they ever considered if their processing is fair and lawful?
  • Do people have clear guidance for secure storage and sharing of personal data?

Annual online data protection training which doesn’t feel relevant, a dry data protection policy which no one reads and/or knows where to find, and no clear rules about basic data security all mean mistakes are more likely. Remember, more than three quarters of reported breaches are the result of human error.

Try to avoid making this a ‘tick-box’ exercise by creating easy to understand policies and guides. Get the Comms or Marketing team involved in raising awareness as an ongoing exercise. Use mistakes and organisational learning to reinforce key messages. How to focus data protection training

3. No surprises!

Give people information about how we use their personal data

Transparency is a key principle underpinning data protection law. We’re told we need to be honest and open about how we collect and use people’s personal information.

A privacy notice (aka privacy policy) is an absolute must have; UK / EU GDPRs set out what we must include. It may be the least visited page on our website, but not for complainers and regulators! A ‘vanilla’ notice copied from another website is unlikely to cut the mustard. For more on this see our Privacy Notice Quick Guide.

This also takes us back to my first must have; if we don’t know what data we hold and what it’s used for we can’t really have a privacy notice which truly reflects what we do.

4. Data sharing

Be open about data sharing and do it securely

Often, we need to share personal data with our colleagues and other organisations. Will people be surprised their data is being shared, are we only sharing what’s absolutely necessary and are we sharing it securely?

Our 10-point data sharing checklist has some useful pointers when sharing data with other organisations who’ll use the data for their own purposes (controllers).

If we’re permitting third parties such as service providers and technology vendors to handle our data, there are very specific contractual requirements. Data protection and our suppliers

Cyber-attacks on the MOVEit file transfer software (affecting payroll provider Zellis) and on Capita just illustrate how important it is to be on top of our supply chain contracting and due diligence. A few years back, a breach at the survey provider Typeform impacted hundreds of different organisations who used their services.

And this is before we even get started on the murky and complex world of International Data Transfers. But never fear, if the plethora of acronyms and jargon are making your head explode, you can tune in on 20 July as we Demystify International Data Transfers and/or read our International Data Transfers Guide.

5. Be prepared for the worst

Have a plan!

When a significant data breach happens, the first 24-hours can be crucial in reducing potential fallout. Thinking ‘we’ll deal with it when it happens’ isn’t a plan at all – it’s a recipe for disaster. The 72-hour timescale to notify the Supervisory Authority of a reportable breach can evaporate so fast – especially if it happens on a Friday or during a holiday period!

Even a simple procedure covering key people who’ll investigate, make decisions, answer core questions and a clear method for assessing the risk will all mitigate internal panic. See our Data Breach Guide or listen to our tackling data breaches webinar

My luxury privacy island item

Now, this shouldn’t really be a luxury, and may sound familiar to some readers. My luxury item is a CEO who genuinely recognises data protection is quite important. (Hmmm… are we stuck together on privacy island?)

Oh, and for a light beach read I’m taking the ICO’s Right of Access Guidance.