Starting a New Business? What You Need to Know about Data Compliance

Starting up a business is a tough time. Organising finance, finding offices and all the standard responsibilities can mean that privacy and data security are the last items on your agenda.

However, compliance with the data protection act is a vital part of any company’s procedures, including start-ups. With many new businesses using technology and software in different and exciting ways, guarding customer and client information has never been more important.

A breach in data security could potentially bring fines that will close a start-up long before it has even started to become profitable. Equally a weak data protection policy could lead to a low valuation of the business, making the process of securing additional finance more costly and difficult.

Data protection is more than simply stopping fraudsters or competitors obtaining your client and customer records. It also concerns the way you utilise and exploit your data. For instance, many companies send regular marketing emails and communications to their clients. If this audience has not been given the chance to opt out of such a program, then you could be breaching data protection laws.

The law applies to all small businesses, including sole traders and part time companies. All customer information ranging from photographs through to phone numbers is subject to the data protection act, requiring businesses to take action in accordance with the law to prevent breaches.

If you are considering starting up a business, what are the ideal first steps to assure compliance with this set of regulations?

Register with the ICO

Any business that works with data or customer records needs to register with the ICO. This is a very simple process that costs around £35 (no VAT) per year and can be completed via a form through the ICO website. There are a number of exemptions to this requirement, with a quick self-assessment process available on the site.

Transparency with Data Collection

When you are collecting data for your marketing program, whether through online sources such as free information give-aways, subscription email lists or business meetings and networking, it is vital to make potential prospects aware of what you plan to do with your data. Ensure your website has an up-to-date privacy policy and allow your audience to opt into marketing schemes.

Did you also know that videoing individuals now comes under data protection? If you use CCTV cameras to protect your premises, equally these must be properly labelled and their locations registered.

Implement an IT User Policy

With a new start up it is possible for staff and directors to be very relaxed with the company’s IT policy. Sharing passwords, USB drives and even keeping personal records of files on home computers can all expose your company to a breach in security. By putting a strong, no nonsense IT user policy in place, the risks are dramatically reduced.

One way many new tech based start-up companies are dealing with data protection is outsourcing all their IT storage to cloud based providers. Some data and customer handling solutions, such as the popular Salesforce, now allow users to store their data in the cloud where it is stored in line with the Data Protection act.

Disposal of Sensitive Information

From scraps of paper that are used to take down customer notes whilst on the phone through to old computer hard drives, any media that has been used to retain customer information must be properly destroyed.

Companies are required to demonstrate that they have contracts in place for the shredding of paper and the proper destruction of computer media. In the event of a breach, this paperwork is vital in establishing liability and will quickly admonish your company of any responsibility.

Respond to Subject Access Requests (SARs)

If you store information about individuals or companies within your organisation, then there is a chance you may receive a subject access request. This is where a business or individual can make a request to view certain information that you hold on them in your systems.

Under the data protection act you have 40 days to respond to this request, and it is therefore good practice to have a procedure in place to deal with any SAR quickly and efficiently. This includes understanding what information should be revealed under the SAR and the information you can keep confidential.

Getting data protection right for your start up company is a vital part of the process of becoming able to perform in today’s marketplace. With a company’s reputation playing such a large part of modern business, a well-publicised breach in your data security measures could substantially harm your start-up before it has even become profitable.