A new year brings a host of opportunities – what if one of those was the chance to strengthen your business, build trust with customers and staff, and ensure that you are doing everything you can to protect the rights and freedoms of people regarding the personal and sensitive data you hold? Here’s data protection expert Mandy Huntley.
Here are my five top tips for you to start 2026 with a bang – putting you on the right track towards data protection assurance:
Tell people what you do with their data
It’s a requirement of GDPR that you tell people what data you collect – and where you get it from if it is not directly from them. You must explain what you will use it for, how long you keep it, your lawful basis (a reason allowed by law), who you share it with, and who in your organisation they should contact if they wish to exercise their data rights.
You can wrap all of this up in a privacy notice, which must be made available to people when they give their data or as soon as possible afterwards. Make sure you keep this document under regular review as things change, and you may need to update it.
Show your workings
At school, do you remember in maths your teacher would ask to show your workings? Well, when it comes to data protection, I think it’s a jolly good idea to do the same.
By this I mean document how you’ve made decisions relating to data use. Draw out your data flows (that’s how data comes into the business and moves around). Create simple documents which show the protections you have in place, such as training that you provide to your team, who has access to different types of information and the security measures in place for systems. Review your policies and document in the policy when reviews and updates have taken place. Document your risk assessments and associated actions taken.
With all these things in place, in the event of a serious complaint or data breach, you’re able to prove that you’ve taken your responsibilities seriously and genuinely tried to do the right thing.
Accountability
Linked to point two is accountability. If something goes wrong, admit it and explain. We’re all human and make mistakes. The biggest risk to data protection is people – the unusual link in an email that someone clicks without thinking, allowing a hacker access, or customer paperwork left behind at a service station.
A significant personal data breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours of discovery. You should also inform the people whose data was lost, shared inappropriately or stolen.
In my experience, admitting when something has gone wrong and explaining what you are doing to prevent it happening again goes a long way towards preserving trust.
Plan for the unexpected
As a motor factor, you probably have a plan for when snow or icy conditions affect your operations – what would happen if you were hit by a cyberattack or a critical system goes down and can’t be restored for several hours or even days?
Planning for these events can ensure that immediate steps are taken to protect people’s data, minimise the impact and continue with some degree of business whilst resolving the problem. Thinking about these situations and planning for them can provide you with the time to explore the different options before your hand is forced. Actions taken in haste often result in poor outcomes as privacy and security can be overlooked in the pursuit of a quick response.
My advice to you is take the time to plan to give your business the best possible chance if an incident occurs. Document the plan and have it printed, so that if all else fails you have a plan on paper to follow.
A little investigation can go a long way
Getting expert help to establish the foundations of information governance can ensure that your business is protected from cyber-attacks, data breaches and poor practice.
The ICO has made it clear that ignorance is no defence when it comes to breaches of UK GDPR, as it has issued fines of thousands of pounds to some businesses who claimed they didn’t understand their obligations. Ensuring that staff who have responsibility for data protection within your business receive adequate training and resources to fulfil their role is a must.
Accessing professional advice and support doesn’t have to break the bank. I offer a proportionate and down-toearth approach to data protection. If you would like to schedule a one-hour compliance consultation please email me at mandy@mandyhuntley.co.uk or contact me through my website www.mandyhuntley.co.uk
