UK: ICO advises UK SMEs on data protection practices
The Information Commissioner's Office ('ICO') issued, on 23 January 2023, a press release in which it encouraged UK small-and-medium-sized businesses ('SMEs') to ensure they have the right data protection practices in place to help sustain and develop their businesses. In particular, the ICO stated that a suite of free resources for SMEs is available in the ICO's dedicated SME hub, and noted the following tips for businesses getting started in data protection:
- make a list of what personal information you have or plan to collect - you need to be able to account for all of it;
- ask why - there's a balance to be made between what you want to do with people's personal information, the benefits that brings to them, and any harm that might be caused as a result; if you're holding or using people's personal information, it must always be fair, as well as lawful;
- check that your security measures line up with the sensitivity of the information you hold and put stronger security measures in place if the data poses a higher risk or is sensitive;
- be transparent - explain to people why you hold information about them, what you will do with it, and how long you will keep it before safely disposing of it, recorded in a privacy notice;
- know about subject access requests - people have the legal right to know what personal information you hold about them, according to the ICO's step-by-step guide on how to deal with a subject access request;
- have a data breach action plan in place - if you lose personal information and it is likely to result in a risk to the people affected, you will need to report to the ICO; and
- check in with the ICO regularly.
In this regard, the ICO highlighted that its advice for businesses comes as it completes a pilot programme with up to 60 SMEs across the UK, in which it has been trialling a new training and development programme, named 'SME Data Essentials', which aims to empower organisations to become better equipped to manage their own data compliance.
Notably, the ICO specified that the pilot forms part of the ICO's new three-year strategic plan ('ICO25'), which details how the ICO will bring down the cost of compliance whilst enabling and supporting SMEs to invest, innovate, and grow.