Millions of people are unaware of how their personal information is being used, collected or shared online. But as a business owner, you have a responsibility to pay attention to data privacy.
Do you know what personal data you hold about your customers and clients? Are you collecting it carefully and storing it securely?
Under the Data Protection Act (DPA) 2018, anyone responsible for using personal data has to follow strict rules called data protection principles.
But understanding the finer points of data collection, storage and security can be complicated – as we see from the many questions posted about these issues on our IT & Internet forum.
Luckily, several UKBF members are specialists in this area and are happy to share their expertise with other members.
As it’s Data Privacy Week, we took to the forums to see what data security issues our members have been grappling with, and gather the best advice to empower your business to take action.
The Information Commissioner's Office (ICO) has a detailed guide to GDPR to help you understand how it applies to you.
When processing personal data, it’s also important to tell people what you’re doing with it. Include this information in a privacy statement, outlining how you collect and store personal data and your policy on removing it. Make this available somewhere obvious on your website, alongside your T&Cs.
“[The customer] has a right to ask and you must delete it. You can keep data that you need to run your business effectively – but no longer than necessary. If you need some data for your accounts or other real reason that's fine, but keeping their hat size would not be, for example.
“We delete all data automatically after 12 months of account closure and some that is not needed by us (or the regulator) on request.”
He also warns that deleting data isn’t a common request and if you’re unsure of the customer’s motives, check their payment history before going ahead.
For more information, see the ICO’s guide on your right to get your data deleted.
UK organisations that only process domestic personal data must comply with the DPA 2018 and UK GDPR.
But if your organisation processes domestic personal data and offers goods and services to, or monitors the behaviour of, EU residents you must comply with the DPA 2018, UK GDPR and the EU GDPR.
This ICO guide on Data Protection and the EU has more information.
“It's not one size fits all. It depends what type of data you're backing up, the quantity or frequency of it, and how many machines or people need to access it,” @Paul Carmen said.
He added that if it's for disaster recovery for a large amount of data, an SSD style backup is an efficient option.
“If it's office-type data from multiple people on several computers across multiple locations that needs to be shared, then SharePoint and MS 365 (or Google equivalent) keeps it pretty safe and accessible,” he said. “You do want fast internet access though, or it's clunky and slow.”
@fisicx seconds the idea of SSD storage. “I’ve got a chunky SSD plugged into the router that does an incremental backup every night. I also back up each week to my server and sync between devices. All of this means I’m not beholden to any third party cloud provider.”
For @The Byre, the best option is mirrored local storage. “We have to have everything stored in triplicate and it has to be 100% secure and the bulk is pretty damn big – many, many TBs,” he says.
“Faffing about with silly (and slow) cloud 'solutions' would be for us a complete waste of time and money.”
Ransomware generally involves a demand for some kind of payment, like in the NHS ransomware attack in 2017. The payment is usually to be made in a cryptocurrency, in return for unlocking your computer or returning your data.
Most reports of cyber attacks focus on the impact on large companies, but small businesses are not immune.
According to the National Cybersecurity Alliance, “Cybercriminals know that small businesses rarely have the resources to defend themselves the way that large enterprises can, which makes them lucrative targets for ransomware and cyber extortion”.
This is an issue that generated a big discussion on the UKBF forum when @Spreadsheet Accountant started a thread about how to protect against ransomware attacks.
“You really want enterprise-class endpoint protection, and effective web and email filtering,” replied @forevergroup. “Use a defence-in-depth strategy by layering multiple vendors that use different databases and engines.”
His other advice was to:
“The simple answer is to hire and pay a professional in that field. Like with any other question in accounts and legal, the answer is: ask your accountant or a solicitor.”
“Same goes for IT. If you have to ask the question, pay for the advice. Ransomware, malware and viruses are a very real threat to any business, but plenty just ignore it or don't take professional help and pay for it.”
Do you know what personal data you hold about your customers and clients? Are you collecting it carefully and storing it securely?
Under the Data Protection Act (DPA) 2018, anyone responsible for using personal data has to follow strict rules called data protection principles.
But understanding the finer points of data collection, storage and security can be complicated – as we see from the many questions posted about these issues on our IT & Internet forum.
Luckily, several UKBF members are specialists in this area and are happy to share their expertise with other members.
As it’s Data Privacy Week, we took to the forums to see what data security issues our members have been grappling with, and gather the best advice to empower your business to take action.
1. How to get to grips with GDPR
General Data Protection Regulation (GDPR) sets out specific legal obligations for businesses processing personal data. For example, you’re required to maintain records of personal data and processing activities – and if you’re found responsible for a breach, you will have legal liability.The Information Commissioner's Office (ICO) has a detailed guide to GDPR to help you understand how it applies to you.
When processing personal data, it’s also important to tell people what you’re doing with it. Include this information in a privacy statement, outlining how you collect and store personal data and your policy on removing it. Make this available somewhere obvious on your website, alongside your T&Cs.
2. What to do if a customer wants their data deleted
One GDPR challenge that many small businesses face is what to do when a customer requests that you remove their data from your records. Business member @cjd gave this advice:“[The customer] has a right to ask and you must delete it. You can keep data that you need to run your business effectively – but no longer than necessary. If you need some data for your accounts or other real reason that's fine, but keeping their hat size would not be, for example.
“We delete all data automatically after 12 months of account closure and some that is not needed by us (or the regulator) on request.”
He also warns that deleting data isn’t a common request and if you’re unsure of the customer’s motives, check their payment history before going ahead.
For more information, see the ICO’s guide on your right to get your data deleted.
3. The impact of Brexit on GDPR
To cut a long, complicated story short, the EU version of GDPR that we previously adhered to has been replaced by a new data protection framework known as the ‘UK GDPR’. This is enshrined in law under the DPA 2018.UK organisations that only process domestic personal data must comply with the DPA 2018 and UK GDPR.
But if your organisation processes domestic personal data and offers goods and services to, or monitors the behaviour of, EU residents you must comply with the DPA 2018, UK GDPR and the EU GDPR.
This ICO guide on Data Protection and the EU has more information.
4. How to choose the best place to store data
This is a big question, and the truth is that the answer could be different depending on your business.“It's not one size fits all. It depends what type of data you're backing up, the quantity or frequency of it, and how many machines or people need to access it,” @Paul Carmen said.
He added that if it's for disaster recovery for a large amount of data, an SSD style backup is an efficient option.
“If it's office-type data from multiple people on several computers across multiple locations that needs to be shared, then SharePoint and MS 365 (or Google equivalent) keeps it pretty safe and accessible,” he said. “You do want fast internet access though, or it's clunky and slow.”
@fisicx seconds the idea of SSD storage. “I’ve got a chunky SSD plugged into the router that does an incremental backup every night. I also back up each week to my server and sync between devices. All of this means I’m not beholden to any third party cloud provider.”
For @The Byre, the best option is mirrored local storage. “We have to have everything stored in triplicate and it has to be 100% secure and the bulk is pretty damn big – many, many TBs,” he says.
“Faffing about with silly (and slow) cloud 'solutions' would be for us a complete waste of time and money.”
5. How to defend against ransomware
Ransomware is a type of malware (malicious software) that stops you from accessing your computer or the data stored on it. It may lock the computer or steal, delete or encrypt the data, causing a serious breach of security to your customer base.Ransomware generally involves a demand for some kind of payment, like in the NHS ransomware attack in 2017. The payment is usually to be made in a cryptocurrency, in return for unlocking your computer or returning your data.
Most reports of cyber attacks focus on the impact on large companies, but small businesses are not immune.
According to the National Cybersecurity Alliance, “Cybercriminals know that small businesses rarely have the resources to defend themselves the way that large enterprises can, which makes them lucrative targets for ransomware and cyber extortion”.
This is an issue that generated a big discussion on the UKBF forum when @Spreadsheet Accountant started a thread about how to protect against ransomware attacks.
“You really want enterprise-class endpoint protection, and effective web and email filtering,” replied @forevergroup. “Use a defence-in-depth strategy by layering multiple vendors that use different databases and engines.”
His other advice was to:
- Patch your endpoints and applications religiously
- Evaluate intrusion prevention and breach detection mechanisms both at network edge and elsewhere
- Revoke local admin and use something like Threatlocker
6. When to pay for specialist help
It’s tempting to reduce your overheads by taking care of data protection yourself. That approach may suit you fine… until something goes wrong, says @Nico Albrecht.“The simple answer is to hire and pay a professional in that field. Like with any other question in accounts and legal, the answer is: ask your accountant or a solicitor.”
“Same goes for IT. If you have to ask the question, pay for the advice. Ransomware, malware and viruses are a very real threat to any business, but plenty just ignore it or don't take professional help and pay for it.”
