22/07/2015

By Gilbert Hill, Governor Technology


There has been a rise in awareness of data privacy and the monetisation of personal data by big companies recently, exacerbated by the phone-hacking trials and Snowden revelations.

As a small and medium-sized enterprise (SME) you may think this doesn’t apply to you, and admittedly it’s unlikely you’re dealing with the mass of personal data which the likes of Google and Facebook handle. However, with recent and forthcoming regulation it makes sound business sense to understand your responsibilities to regulators and customers in this brave new world.

Today we’ll look at how you can deal with data privacy within your company and how you can use existing resources to understand your use of personal data and ask the right questions of your staff, suppliers and partners.

For most SME’s, the main hub of their marketing and digital interaction with customers and the public is their website. For a few years now, there has been a requirement for sites to disclose their use of ‘cookies’.

Cookies are snippets of code dropped onto a user’s device when they visit a site. Their original purpose was to improve the user experience by recognising them on a return to a site, but they have a darker side, which is to track users across the web and serve them adverts based on their browsing history.

If you have a basic site listing services and the people who deliver them, you may think the chances of having tracking cookies are low, but in reality some 80% of cookies on sites are put there by a third party.

This means if you have a content management system like Wordpress, or web analytics tracking, or an instant chat service on your site, they will be a ‘Trojan horse’ for cookies. The reason a lot of these widgets are free or very cheap is that they sell the tracking data to advertisers; however as the site owner you are responsible if someone complains or the regulator comes knocking!

So, the first point of action is to find out what cookies your site is using. To this end, we built and maintain www.cookiepedia.org, a free resource where you can enter the web address of your site, and it will tell you what cookie tracking is being carried out.

Once you have this in hand, the next port of call is your suppliers. You should share the report with them, and check that they have the right certificates, processes and disclosure of their use of personal data.

On top of cookies, more general use of data and the requirement to respect privacy is coming in the form of the EU Data Protection Regulation, due to be passed later this year. This is by its very nature complex and opaque, and I wouldn’t recommend trying to wade through the detail, but the site www.eudataprotectionlaw.com is a good place to start, and features a number of free tools and resources you can download to get started.

Another thing to think about, and quiz your supplier on, is where your data is stored. Under a term known as ‘Safe Harbor’ US companies enjoy more lax regulation than their European equivalents. This means they can do things with your data legally, which you can be on the hook for based in the UK!

To mitigate this business risk, most hosting companies or cloud providers offer services from servers based only in Europe, and comply in advance with the upcoming EU regulation. If your supplier is dealing in data, then they should be aware of all this and have the necessary compliance in place, so you can concentrate on running your business.

Another requirement of which many businesses are unaware or think doesn’t apply to them is to register as Data Controller with the ICO (UK data regulator) if they process any personal information. This costs £30 a year, and you can find the details on how to register here: https://ico.org.uk/for-organisations/register/

All of this may seem like an added burden on your business, and in a way it is. But being able to show you have given data privacy some prior thought and applying this to your activities will not only stand in your favour should something go amiss and the regulator comes knocking; it’s a good look for your business with a more privacy-savvy public, too.