‘Are you a sole trader or small business owner?’
If so, have you taken the assessment on the ICO website?…No!
Then just google ICO and right there on the home page there is a section titled ‘Assessment for small business owners’
The questions that you will be presented with seem rather innocuous, but they have a more in depth meaning that meets the eye…let’s explore.
Q1a – Do you have a record of what personal data you hold?
- this question relates to Article 30 and what is really asking is if you have a Data Inventory in place
Q1b – Do you know what you use it for?
- This information will be captured in the Data Inventory, so if you have not got one then you are not really in a position to answer this question correctly
Q2 – Do people know you have their personal data and understand how you use it?
- this question is really asking whether you have a privacy notice and not just on your website but to make it available at every point of collection
Q3 – Do you only collect the personal data you need?
- Until you have a data inventory in place and understand your data processing you are not going to be in a position to determine whether you collect additional personal data or just what is necessary – this question is linked to the principle of minimisation
Q4 – Do you only keep personal data for as long as it is needed?
- A better way of asking this would be, do you have a retention policy and schedule in place? If you do not then I’m not sure that you can truly answer this question
Q5 – Do you keep personal data accurate and up to date?
- In other words do you have a mechanism in place to update the data you keep and are the data subjects encouraged to provide you with updates to their data
Q6 – Do you keep personal data secure?
- Are you using the 3 security techniques? e. cyber security, encryption and pseudonymisation. Is your hard drive encrypted as well as your files, do you have a cloud and a local back up, 2 factors authentications and finally do you use pseudonymisation to protect the data?
Q7 – Do you have a way for people to exercise their rights regarding the personal data you hold about them?
- If you don’t have a SARs process in place, if you and your staff are not trained and aware of the rights of an individual and how to recognise and process a request the most probable answer would be ‘no’
Q9 – Do you and your staff (if you have any) know your data protection responsibilities?
- To answer this question, you need to determine if you are a data controller or data processor and have undertaken some training to understand the regulation
Q10 – Do you know if you’re obliged to pay a data protection fee?
- you can take the test on the ICO website How well do you comply with data protection law: an assessment for small business owners and sole traders | ICO