Home/Blog/Starting a New Business? What You Need to Know about Data Compliance

Starting a New Business? What You Need to Know about Data Compliance

Starting up a business is a tough time. Organising finance, finding offices and all the standard responsibilities can mean that privacy and data security are the last items on your agenda.

However, compliance with the data protection act is a vital part of any company’s procedures, including start-ups. With many new businesses using technology and software in different and exciting ways, guarding customer and client information has never been more important.

A breach in data security could potentially bring fines that will close a start-up before it has even started to become profitable. Equally, a weak data protection policy could lead to a low valuation of the business, making the process of securing additional finance more costly and difficult.

Data protection is more than simply stopping fraudsters or competitors from obtaining your client and customer records. It also concerns the way you utilise and exploits your data. For instance, many companies send regular marketing emails and communications to their clients. If this audience has not been given the chance to opt-out, you could be breaching data protection laws.

The law applies to all small businesses, including sole traders and part-time companies. All customer information ranging from photographs to phone numbers is subject to the data protection act, requiring businesses to take action in accordance with the law to prevent breaches.

If you are considering starting up a business, what are the ideal first steps to assure compliance with this set of regulations?

Register with the ICO

Any business that works with data or customer records needs to register with the ICO. This is a very simple process that costs around £35 (no VAT) per year and can be completed via a form through the ICO website. There are a number of exemptions to this requirement, with a quick self-assessment process available on the site.

Transparency with Data Collection

When you are collecting data for your marketing program, whether through online sources such as free information giveaways, subscription email lists or business meetings and networking, it is vital to make potential prospects aware of what you plan to do with your data. Ensure your website has an up-to-date privacy policy and allow your audience to opt into marketing schemes.

Did you also know that videoing individuals now come under data protection? If you use CCTV cameras to protect your premises, equally these must be properly labelled and their locations registered.

Implement an IT User Policy

With a new start-up, it is possible for staff and directors to be very relaxed with the company’s IT policy. Sharing passwords, USB drives and even keeping personal records of files on home computers can all expose your company to a breach in security. By putting a strong, no-nonsense IT user policy in place, the risks are dramatically reduced.

One way many new tech-based start-up companies are dealing with data protection is by outsourcing all their IT storage to cloud-based providers. Some data and customer handling solutions, such as the popular Salesforce, now allow users to store their data in the cloud which is stored in line with the Data Protection act.

Disposal of Sensitive Information

From scraps of paper that are used to take down customer notes whilst on the phone to old computer hard drives, any media that has been used to retain customer information must be properly destroyed.

Companies are required to demonstrate their compliance in securely destroying materials that are no longer required. In the event of a breach, documents like Waste Transfer Notes and Certificates of Destruction can establish liability. It will quickly admonish your company of any responsibility.

Respond to Subject Access Requests (SARs)

If you store information about individuals or companies, there is a chance you may receive a subject access request. This is where a business or individual can request to view the information you hold about them.

Under GDPR you have one month to respond to this request. It is therefore good practice to have a procedure in place to deal with any SAR quickly and efficiently. This includes understanding what information should be revealed under the SAR and the information you can keep confidential.

Getting data protection right for your start-up company is a vital part of being able to perform in today’s marketplace. With a company’s reputation playing such a large part in modern business, a well-publicised breach in your data security measures could substantially harm your start-up before it has even become profitable.