How should SMEs and startups think about the legal use of personal information? You must first ask yourself the necessary questions for your business
Does the company keep track of what personal data it has on users? Is it clear why?
- Are you aware of what information is going into, through, and out of the company.
- Does this information contain the consumer's personal information? Are these identified and processed? Is it for telemarketing or member login details?
- Do you know the purpose of collecting and using personal information?
- Are there records of personal data held? Is there processing and why is it held?
- There are six legal bases for legally holding and processing, and whether information can be legally held. You need to record the following information:
- What personal data you have, such as name, email address, etc.
- How to get personal information, such as application form, through website, etc.
- why do you have
- Past holding time of personal information, expected holding time of personal information
- Whether to share personal information
- Whether the information is special personal information, sensitive personal information such as medical information
Do users know that you own their personal data and how you use it
- Has the company ever told users how you use their personal data
- Whether to tell users that the company has shared personal information
- Whether to tell users how their personal data is expected to be handled, such as how marketing messages are pushed
- The following should be noted
- Users must know that the company is responsible for the person in charge of personal information
- Why personal information can be held (legal basis) and how to process it
- Where to get personal information
- With which partners to share personal information and how, including whether to share cross-border
- Length of holding personal information
- How to request, correct, delete their personal data
- How to appeal to the ICO (UK Personal Information Authority)
- Profile analysis and data content used in automated decision-making
Whether to collect only the personal data you need
- Do you only collect and process the personal information required by the company?
- Whether users are made aware of the personal information they are required to provide and which they may provide at their own discretion
- Example: Ashley is a window cleaner who collects the names and addresses of his customers because he needs to clean the windows. Ashley may also need to collect e-mails from his consumers so that he can send bills, but when this is not necessary, he must inform his consumers that the request for personal information is optional.
Does the company hold personal data only when they need it
- Whether to decide the necessary record length
- Have you decided and documented how long you will hold the personal data you collect?
- Is there any update or destruction of personal information after a specific time?
- Is it safe to delete or destroy personal data as long as it is no longer needed
- For example, Peter is a news vendor who collects the names, addresses and phone numbers of consumers, as well as requests for weekly newspapers and payment details. A file created by Peter with the personal data he collected and the retention period. After the custody period was terminated, he safely destroyed the personal information he held by shredding paper. He also regularly confirms personal data and confirms whether it is regularly deleted during the period in which it is held.
Whether personal data is held correctly and kept up to date
- There are regular confirmations that personal information is correct and kept up to date
- For example: Kevin is the manager of the local football team. Every month he will send a letter to the team about future game information. Kevin should regularly confirm the membership of the organization and whether the e-mail is correct.
- Is it possible to update information quickly enough as long as consumers request
Is it possible to ensure that personal data is sufficiently secure?
- Whether personal data is kept secure in the office, such as through a lockable file management system, and computers are locked or logged when employees leave their desks
- Whether specific measures are taken to ensure the security of personal data when it is extracted or transmitted by employees, for example, whether to provide only the information they need or whether to transmit it in a secure manner
- Do you maintain document security, use lockable storage devices, and handle paper-based document security?
- Whether to maintain electronic data security by encrypting mobile devices, using passwords and backing up information
Is there a way for users to exercise their rights over company-owned personal information?
- Is it clear about the rights of the individual under the statute?
- Summarized as follows, including
- Right to be informed - be informed about what personal information the company holds and how it is used
- The right of access - sufficient to respond to requests to copy the personal data they hold
- Right to Amendment - enables consumers to update their information
- Right to erasure - companies can be asked to delete/destroy their data
- Right to restrict processing - the type and total amount of data can be restricted
- Data portability - can request to move their data electronically to other commercial organizations
- Right to refuse - can ask the company to stop using their personal information Is there a plan to handle any request? The above-mentioned requests can be made by text, voice, in person or by mobile phone, and cannot be limited to written letters, etc., and these situations must be handled in a normal way. For example, Simon, a local football operator, received a request from a player for all the games he played in the last year, which could be done as a daily affair. Local football teams under the age of ten, from the parents' request to keep the information of the children of the football team.
- Is it clear about the longest time to respond to a request.
Whether there is a clear responsibility for information protection
- Is there any training staff, especially those who hold the user's personal data?
- In the event of a breach of personal data protection, the ICO and the individual must be notified
There is such a long notice in Yangshasa. On the bright side, the website has already translated and organized the above content. If the system of personal data can be incorporated into the company's organizational planning when planning, it will be more profitable for investors, shareholders, users the trust of the trader and the counterparty.
No matter how big or small the company is now, work hard to make a complete plan and big dream. Let's work together to protect personal assets!
Like my work? Don't forget to support and clap, let me know that you are with me on the road of creation. Keep this enthusiasm together!