The importance of data protection

In recent months, high-profile cyber-attacks, such as those suffered by M&S, Jaguar Land Rover and more recently, Harrods, have thrust data protection into the news – and into the minds of many business owners. Hackers are always pushing at doors, seeing which ones let them in, and as a business owner, you must be ready to protect everything that you’ve worked so hard to build.

I’m Mandy Huntley, a data protection expert with close to 20 years’ experience in public and charity sector governance. Coming from environments where the stakes are high due to the sensitive data the organisations hold and process, I’m in high demand with small and mediumsized businesses that want to turn what’s previously been seen as a headache – into their superpower.

Back in 2016, when the General Data Protection Regulation (GDPR) was published, businesses were given two years to prepare before it became law in May 2018. We’ve had data protection legislation for generations, but GDPR modernised and tightened the protections for individuals and significantly raised the penalties for violating the law. Subsequent legislation, such as the Data (Use and Access) Act 2025, has continued this journey of modernisation and there’s more to come.

GDPR Brought a flurry of myths

One of the biggest myths is that you must have the person’s consent to collect or use personal data about them. This is not true; it very much depends upon the situation and the purpose of the data processing – did you know there are six reasons (called ‘lawful bases’ in law) which permit an organisation to collect or use personal information?

They cover everything from fulfilling a contract and legal obligations – such as keeping records for tax purposes – to activities that serve your business interests, provided these are balanced with individuals’ rights, such as certain types of marketing. Consent is only one of the six lawful bases.

You should make information available to people whose data you collect, use or hold including the lawful basis. This includes your trade customers and consumers. Relying on an incorrect lawful basis can cause problems if there’s a dispute or another complication throughout the relationship with an individual.

Why does it matter? There are a couple of ways to look at this. From the perspective of the business and from the perspective of the individual whose data you hold (bottom).

How do you guard against this?

There are simple things you can put in place to reduce the risk, position your business on a solid foundation and arm yourself and your staff with the know-how to protect against incidents, thereby turning data protection into a competitive edge not a burden.

Starting at the most basic level and drawing out your data flows – that’s how data comes into the organisation and then moves around and is used before finally being destroyed – is the first step. Physically plotting it on paper enables you to see the gaps in protection; the points at which one mistake (because after all you’re human) or one weak system can let the whole process down.

Simple rules plus a process to follow when making changes to systems or processes help ensure that business development happens in a way which doesn’t create cracks in your protections.

Having processes built on this foundation of data protection coupled with training for staff using personal data or systems can ensure that data flows around your business in a safe and appropriate manner. Organised storage of personal data can ensure that it’s available when needed and only available to people with a legitimate need to know.

The business perspective

A data incident, whatever the cause, can disrupt your business. Days, weeks or even months of downtime or reduced activity and the expense can be vast. You might need to bring in various experts or reroute processes in the hope of keeping the business flowing.

Within 72 hours of becoming aware of a significant personal data breach, you must report it to the Information Commissioners’ Office (ICO) who are the data protection regulator in the UK. You may also need to deal with press coverage, social media noise, communication with suppliers and customers, staff and all stakeholders.

People have rights

Individuals – you, your staff, customers and suppliers – have rights. These include the right to know what data you collect, where it comes from, what you use it for, whether you share it and how long you keep it for. They also have the right to request access to the data you hold about them and that’s not just limited to what’s in your CRM or sales system. It covers emails, instant messaging, recordings of phone calls, CCTV, handwritten notes – everything!

This is called Data Subject Access, and if you were to receive such a request, the law states that in most cases you have one calendar month to respond.

Recently a business owner was ordered to pay over £6,500 in fines and costs for failing to respond to a Data Subject Access Request, and he was handed a criminal record for preventing disclosure of data under the Data Protection Act 2018.

So, the stakes are high and ignoring the legislation isn’t an option. Building that sound foundation of data governance should enable you to receive a request and identify the relevant data efficiently. These requests can involve a lot of information, and the process of extracting data from systems and ensuring it’s ready to be shared with the individual can be lengthy. The trick is to identify the request quickly – sometimes it’s buried in an email or a letter from an individual – and then know exactly where to get the information from.

The individuals perspective

Consider, for a moment, all the information you hold in relation to your employees. Financial information, health information, home addresses the list goes on. If enough of the information falls into the wrong hands, there’s potential to clone that person’s identity. The ramifications can be huge. Even if that doesn’t happen, a privacy breach causes anxiety, distress and a loss of trust.

Data protection by design

Whatever you do with data about people, you must consider their rights every step of the way; for example, if you upgrade your CCTV from an on-site server to a cloud based system, you must do your homework.

Ask questions like who else has access to the images? How long are images kept for? How does the hosting company protect the data? What happens if the hosting company suffers a cyber-attack?

These questions ensure you provide staff and visitors with assurance that the CCTV images you collect are protected. Add this to your own policy on when the images will be used, who they can be shared with, and in which circumstances they could be shared, and you’re well on the way to ensuring that your collection of this data is lawful.

Let’s talk

I hope you’ve found this useful. Establishing your foundation of data protection can feel daunting, but I’m here to help and offer a jargon-free compliance consultation. Contact me at mandy@mandyhuntley.co.uk.

For more information, click here.

LKQ donates £46,500 to UK community causes

Adapting to the evolving aftermarket

Draper Tools supports Ben after advent success

The importance of data protection

How is Carwood helping factors stay ahead?

Exploring JRP Distribution and new opportunities

Arnold Clark shares views on key aftermarket topics

Town & Country Covers expands range

Niterra refreshes BoxClever loyalty scheme

GSF named ‘Car Distributor of the Year’

The importance of data protection

Related posts