The document is a presentation by Richard Syers from the Information Commissioner's Office about data protection for small and medium-sized enterprises. It covers key topics like the definition of personal data, the data protection principles, privacy notices, individual rights, direct marketing rules, security practices, and registering with the ICO. It also briefly discusses the upcoming General Data Protection Regulation which will strengthen data protection requirements.

1. Host: Robert Parker, Head of Communications
Presenter: Richard Syers, Senior Policy Officer
richard.syers@ico.org.uk
Data Protection
for
small and
medium-sized
enterprises

2. Freedom of
Information Act
2000
Environmental
Information
Regulations 2004
Upholding information rights in the public interest,
promoting openness by public authorities and data privacy
for individuals
Data Protection Act
1998
Privacy and
Electronic
Communications
(EC Directive)
Regulations 2003

3. …data which relate to a living
individual who can be identified –
(a) from those data, or
(b) from those data and other
information which is in the possession
of, or is likely to come into the
possession of, the data controller
Personal data

4. Data Protection Act 1998:
principles for processing
personal data
 Fairly and lawfully
 For specified, limited
purposes
 Adequate, relevant and not
excessive
 Accurate and kept up to date
 Not kept for longer than
necessary
 Processed in accordance with
individual’s rights
 Protected by appropriate
security
 Not transferred outside EEA
without adequate protection

5. Fairness, transparency and proportionality
 Clearly tell individuals what personal data you are collecting
and why
 Make sure you have a legal basis to process personal data
 Only collect what you need
“Artists-impressions-of-Lady-Justice, (statue on the Old Bailey, London)” by Lonpicman is licensed under CC BY-SA

6. Privacy notice
 What information is being
collected?
 Who is collecting it?
 How is it collected?
 Why is it being collected?
 How will it be used?
 Who will it be shared with?
ico.org.uk/for-organisations/guide-to-data-
protection/privacy-notices-transparency-and-
control/

7. Data quality
 Accurate and up to date
 Relevant
 Not excessive
 Not kept for longer than necessary

8. Security
 Appropriate physical security
 Appropriate electronic security
 Encryption
 Keep secure, regular backups

9. Get the basics right
 Train your staff
 Physical security
 Access control
 Encrypt portable devices
 Back up your data
 Cyber Essentials
ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf
https://www.cyberaware.gov.uk/cyberessentials/

10. Individual’s Rights
 Access personal data
 Prevent direct marketing
 Prevent processing of personal data
 Rectify, block, erase or destroy inaccurate data
 Object to automatic decision making
 Claim compensation

11. What if someone asks
for their information?
 Respond within 40 calendar
days
 Can ask for :
 Proof of identification
 Further information to locate
the data requested
 Fee of up to £10 in most
cases
 Must ask for these things
promptly
 Exemptions in certain
circumstances
https://ico.org.uk/for-organisations/guide-to-
data-protection/principle-6-rights/subject-
access-request/

12. Direct Marketing
• Privacy and Electronic Communications
Regulations
• Different rules for different channels
• Respect peoples choices
• Marketing directed at an individual
• Section 11 applies to all direct marketing
• Must comply immediately with a section 11
request in most cases

13. What are the rules for
electronic marketing?
Most common forms of marketing:
Can make telephone calls without
consent, unless the number is registered
with the TPS or the subscriber has asked
you not to call the number for marketing
purposes.
Must have subscribers’ prior consent
before sending electronic marketing
messages (e.g. SMS, email) unless the
“soft opt-in” applies.
Must have subscriber’s consent to make an
automated call.
https://ico.org.uk/for-organisations/guide-to-
data-protection/principle-6-rights/preventing-
direct-marketing/

14. DPA self assessment toolkit

15. DPA self assessment toolkit

16. Guidance for
small businesses
ico.org.uk/for-organisations/business/

17. Registering with the ICO
 Public register of data controllers
 Legal requirement if processing personal data
electronically
 Costs £35 per year for most organisations
 Charities, small occupational pensions schemes and
organisations that have been in existence for less than
one month all pay £35 regardless of size or turnover
 Failing to notify when not exempt, or to keep
registration up to date, is a criminal offence

18. Registering with the ICO

19. Do I need to register?
Online self assessment
ico.org.uk/for-organisations/register/self-assessment

20. The future of data protection
General Data Protection Regulation (GDPR)
 Same basic principles as current DP law, but
strengthened
 Accountability
 New rights for individuals, and strengthening of
existing rights
 Breach reporting
 Data Protection Impact Assessments
 Higher penalties for non-compliance
ico.org.uk/for-organisations/data-protection-reform/

22. @iconews
Any Questions?
Helpline: 0303 123 1113
Keep in touch by subscribing to our e-newsletter at
www.ico.org.uk or find us on…