We regularly receive requests from Companies to look into the Data Compliance of other Companies. This activity sometimes comes as a surprise to people who do not know there is a legal requirement upon Companies to do this under Article 28 of the GDPR.
The Companies we assess are sometimes trying to do business with our Client or are proposing a joint venture where data will flow between them or in some cases the Client simply wants to check out their competition and see if there is any ammunition for the next round of Tendering or Contract Negotiations with a third party.
It is still quite shocking that 2 Years after the inception of GDPR so many Companies both large and small are still getting their data protection responsibilities wrong!
With this in mind and in view of the recent relaxation of some lockdown issues which has precipitated an inbox full of individuals and organisations offering their ‘advice’ to businesses, we felt it would be an appropriate time to draw attention to the trust we place in some organisations and how easy it is to quickly find out whether that trust is warranted or not.
During the Coronavirus lockdown, a bored and trusting public have been subjected to a 400% increase in email scams and the like. There is an old adage that says ‘if it sounds too good to be true it probably is’.
We recommend that whenever an organisation offers to tell you how to act or what to think, especially in relation to your business, you owe it to yourself to do some due diligence on the credentials of the ‘advisor’.
We find the easiest place to discredit the ‘experts’ is Online, in the Privacy policy of their own Websites.
The Privacy policy is the great leveller, all businesses large and small must have one, from Government departments, to Sole Traders, Charities, Clubs and Societies, Business advice organsations and even religious groups. Check out their Privacy Policy before you let them into your wallet, your business or your mind!
Here is our short 10-point checklist of easy things to look out for which confirms an organisation is fully informed about Data Protection and acting lawfully themselves and if they’re not – Why would you let them advise you?
1) Do they even HAVE a Privacy policy on their Website? If not, don’t walk away – Run!
2) Is the Privacy Policy current? Does it mention the GDPR and the Data Protection Act 2018?
3) Does the Privacy Policy include information about how you can make a Subject Access Request (SAR) to find out what data they are processing about you?
4) If they talk about charging you £10 to respond to your data access query, they are still operating under the old Data Protection Act 1998. Charging for enquiries is now an offence.
5) Does the Privacy policy mention a contact point or person within the organisation responsible for Data Protection? This is also a requirement.
6) Does the Privacy policy show their ICO Registration number? (NB: Some businesses are exempt)
7) Does the Privacy Policy mention that you can report them to the Regulator? It should.
8) Look for ‘Marketing notices’ especially ones saying they will pass your details to third parties. Unless you specifically ask for your details to be passed to a third party they cannot lawfully do it.
9) Does the Privacy Policy include any negative acceptance. E.g. ‘Only tick the box if you don’t agree…’
10) Does the Privacy Policy include any assumptions. E.g. ‘By using this website you accept this policy and agree we can contact you for…’ type of statements?
NB: If you agree to ANYTHING there must be a positive step such as a box to tick to confirm you DO want to be contacted and ideally the METHOD. You might be happy to receive an email but not a phone call. The days of assumptive acceptance are GONE!
Remember, we recommend you check out ANYONE who is trying to ‘advise’ you.
Also, at this time because many people have some time on their hands, doing a bit of Detective work is a useful exercise to complete with your own Suppliers, Customers and Competitors – Save yourself a problem, a Data Breach or even a Fine! Make sure your data is safe in their hands - Always assuming your own house is in order of course!
Comments