‘Are you a sole trader or small business owner?’

If so, have you taken the assessment on the ICO website?…No!

Then just google ICO and right there on the home page there is a section titled ‘Assessment for small business owners’

The questions that you will be presented with seem rather innocuous, but they have a more in depth meaning that meets the eye…let’s explore.

Q1a – Do you have a record of what personal data you hold?

  • this question relates to Article 30 and what is really asking is if you have a Data Inventory in place

Q1b – Do you know what you use it for?

  • This information will be captured in the Data Inventory, so if you have not got one then you are not really in a position to answer this question correctly

Q2 – Do people know you have their personal data and understand how you use it?

  • this question is really asking whether you have a privacy notice and not just on your website but to make it available at every point of collection

Q3 – Do you only collect the personal data you need?

  • Until you have a data inventory in place and understand your data processing you are not going to be in a position to determine whether you collect additional personal data or just what is necessary – this question is linked to the principle of minimisation

Q4 – Do you only keep personal data for as long as it is needed?

  • A better way of asking this would be, do you have a retention policy and schedule in place? If you do not then I’m not sure that you can truly answer this question

Q5 – Do you keep personal data accurate and up to date?

  • In other words do you have a mechanism in place to update the data you keep and are the data subjects encouraged to provide you with updates to their data

Q6 – Do you keep personal data secure?

  • Are you using the 3 security techniques? e. cyber security, encryption and pseudonymisation.  Is your hard drive encrypted as well as your files, do you have a cloud and a local back up, 2 factors authentications and finally do you use pseudonymisation to protect the data?

Q7 – Do you have a way for people to exercise their rights regarding the personal data you hold about them?

  • If you don’t have a SARs process in place, if you and your staff are not trained and aware of the rights of an individual and how to recognise and process a request the most probable answer would be ‘no’

Q9 – Do you and your staff (if you have any) know your data protection responsibilities?

  • To answer this question, you need to determine if you are a data controller or data processor and have undertaken some training to understand the regulation

Q10 – Do you know if you’re obliged to pay a data protection fee?

For more information, call 01775 660506or email CVG Solutions here info@cvgsolutions.co.uk