Information, whether it be commercially sensitive information about corporate plans or data relating to customers, is a major asset of most retailers.
Making sure you have adequate procedures and policies in place to protect data is critical for commercial success as well as compliance with legal requirements.
Alison Deighton, head of Data Protection & Privacy at national law firm TLT, recommends that retailers consider the following steps for a comprehensive information governance process. This process will assist with protecting assets and enabling the use of data in line with legal requirements:
- Map out the categories of data held by your business and the commercial and legal significance of each category of data. For example, is the information commercially sensitive? Do regulatory obligations, such as the Data Protection Act apply?
- Ensure you understand the different ways through which information is generated and transferred. Where does data flow into and out of the business? Which types of data are generated internally and by whom?
- Consider the steps that need to be taken to protect and comply with legal obligations for each category of data at every stage of its journey through your business. For example, if information is commercially sensitive, how do you ensure that access to data is restricted and that those who have access treat the information confidentially? Do you have confidentiality provisions in employment contracts? Do all consultants sign confidentiality agreements before they are given access to information?
- In relation to regulatory obligations, ensure that you have adequate policies and procedures in place to protect information in line with legal requirements. Policies and procedures need to be backed up with regular training and compliance checks to ensure that employees are aware of the processes they should be following and are periodically monitored to ensure they are complying.
- Operational procedures need to be complemented by adequate technical and practical security measures to protect data from unauthorised access. Ensure that you obtain advice from appropriate experts on technical security requirements.
- As well as reviewing internal procedures, consider how you are complying with data protection obligations from the customer perspective. Do you have clear and transparent privacy notices in place to inform customers of how their data will be used? Are privacy policies on websites clearly signposted? Have you obtained adequate consent for all marketing activities and do you provide easy to use and readily accessible opt-out procedures?
- Aim to ensure that information governance obligations are embedded in the culture of your organisation by securing buy in and leadership at a senior level.
Failure to put in place adequate information governance processes can lead to loss of valuable assets, breach of regulatory requirements and ultimately loss of consumer trust. To prevent these consequences seek assistance when drawing up an information governance programme for your business and get expert legal advice on data protection.
For more information please contact Alison Deighton, on 0117 917 8016/ alison.deighton@TLTsolicitors.com. Visit www.TLTsolicitors.com