Small business best practice: Data Protection24 May 2018
Data protection might not be on top of the list for business and its no surprise. Running a business is a balancing act. You're in charge of handling every aspect of the company, hiring the right people, and keeping everything on the right side of the law.
One of your most important roles as the company's founder is managing the money. Capital is the lifeblood of a business, and if you don't learn to manage your money, your company will most likely die.
Properly handling finances can extend your runway and give you more time to work on your business.
As a small business accountant who have worked with over 10,000 SMEs throughout the last four years, the team at Accounts and Legal have a knowledge of succeeding, and we are ready to share that with you.
As part of our new “Best Practice” series, we will be talking you through a range of topics, all designed to help you fully understand your business, evaluate it against our views on best practice, and ultimately arm you with the knowledge you need to take your business to the next level.
In the series, we will take you through the likes of budgeting, forecasting, management reporting, debtor control, project evaluation, stock control and fixed assets, to name a few. This week we focus on Data Protection.
What is Data Protection?
Data Protection refers to how an individual’s personal, and sometimes private, information is used by organisations, businesses or the government.
Kept under control by the Datas Protection Act, anyone responsible for using data has to follow strict rules called “data protection principles”.
In abiding by the principles, information must be used fairly and lawfully; used for limited; specifically stated purposes; used in a way that is adequate; relevant and not excessive; accurate; kept for no longer than is absolutely necessary; handled according to people’s data protection rights; kept safe and secure; not transferred outside the European Economic Area without adequate protection.
Additionally, there is stronger legal protection for more sensitive information, such as ethnic background; political opinions; religious beliefs; health; sexual health and criminal records.
Data protection checklist for financial services firms
Considering the legal imperatives discussed above and the rapid conversion of the global economy to an increasingly digital, internet-driven model in all respects, firms need to access the expertise that can help them create a strong data protection infrastructure.
Compliance officers can help the process by creating an evolving list of action items designed to assist organisations begin the process of protection the personal data of their clients.
Two experienced information technology experts explained to me what should go into the list. The list anticipates that the firm has assessed what types of data about clients are collected and where the information is stored.
Collection of data
When collecting data, clearly inform the individuals about the purpose for which it will be collected, used or disclosed and obtain their consent in writing.
If you collect personal data from third parties, ensure the third party has obtained consent from the individuals to disclose it for your intended purpose.
Be able to show that the client understands what the process entails for withdrawing consent for this use or disclosure of their data.
Provide regular training to all employees and third-party employees that will have any contact with and responsibility for personal data about how to safely collect it, use it, store it, alter it and remove it.
Use of the data
The purposes for which you obtained consent to collect personal data must indeed the only ones used by the firm and its vendors.
Any changes in the disclosure and use of the personal data collected should receive a new and separate consent in writing.
Access to the data
There must be a formal procedure in place to handle requests for access to personal data, including their purpose, an evaluation of their data security measures, storage locations, access rights (individuals and other companies) and disposal mechanisms.
Clients should be informed that another party has requested access to their details and for what purpose – and again, consent should be retrieved in writing.
There must be a process in place at your firm and any others that have access to this data to handle correction requests – from how it is performed to who does it and verifies the changes are safely saved.
You should consider whether there other parties that could have access to the data through a backdoor mechanism – such as a password to another part of the system that does not contain sensitive details but through which a sophisticated hacker could navigate to gains such access.
Contractual arrangements for storing and transferring data overseas must include attestations that the data will receive the standard of protection accorded personal data in the United States and your organisation’s own standards.
Audits and remediation
Your firm must have a schedule of regular audits on the data protection it holds – detailing all of the considerations listed above, among others.
Outside experts can help with this task, but an in-house audit should also be done to show regulators the organisation as a whole understands the processes being used and has a means to test them itself.
Draft a remedial plan that identifies the actions that must be taken — including the resources needed and people involved – in case a security breach occurs.
Outside experts can certainly weigh in, but the remediation must suit the type and breadth of information your business retains and the risks your organisation faces – and those areas are best considered in-house.
Although regulators do not expect compliance and risk professionals to be experts in the area of data protection and information security in general, there is a certain level of understanding that must remain in-house.
That is, firms must maintain sufficient internal understanding of the best practices enumerated above and about data protection in general to be able to ask the right questions — and the right follow-up questions — when hiring business partners to help manage this data.
There needs to be enough firm-based know-how to be able to oversee this work with the sufficient skepticism and high standards required in this risk area.
A potential over-reliance on third-party assurances can be detrimental, and it would be wise for any firm to have one board member that can speak “tech speak” and generally be aware of the relevant best practices in this evolving arena.
Keep an eye out for our "Best Practice" series as it comes online every week, filled with information specifically tailored to help your business perform at its greatest level.
Alternatively, you can try our instant accounting quote tool and get a fee in just 5 clicks.