Data Protection – how does it affect me and my business?
With more and more companies turning to digital technology to manage customer data and, as a result, data becoming more and more freely available it is the duty of any business, small or large, to ensure that they take a careful, ethical stance when dealing with sensitive customer information.
Apart from the ethics of the matter it’s vital to follow the data protection code of practice to avoid huge fines. For instance, did you know that the Information Commissioner’s Office (ICO) has the power to fine small businesses up to £500,000 for breaches of the Data Protection Act?!
Any business that holds personal data about customers or employees is obligated to have a Data Controller in place to ensure that the eight principles of the data protection act are adhered to. These include:
1. Data must be processed fairly and lawfully
This is thought to be the most important requirement outlined in the act. To ensure that you are complying with this principle, you have to provide individuals or subjects with the name of your business as well as details of what their personal information will be used for.
In addition to this you are legally obliged to tell them if their data is to be used in any way that is not immediately obvious, e.g. selling personal information on to a third-party.
2. Data must be processed for specified lawful purposes
You should specify a lawful reason for acquiring personal data and it should not be used for any unlawful or “incompatible” reason.
3. Data must be adequate, relevant and not excessive
The data you collect should only be immediately relevant to the purpose specified. Your company should not collect more information than is necessary.
4. Data must be accurate and up to date
Any data collected should be accurate and updated where necessary. With digital technology and online trading becoming the norm you may need to develop a system that allows the individual to update their own details quickly.
5. Data must not be kept for any longer than necessary
If the data you have collected is time-limited, it is vital that the data is not kept once it is no longer required. Where possible it is important to tell individuals how long the data is expected to be kept for.
6. Data must be processed in accordance with the rights of individuals
The Data Protection Act not only sets out the key responsibilities of the Data Controllers but also specifies the rights of the individual. It is important that you as a company understand these rights and adhere to them.
7. Data should be kept secure
Adequate steps to ensure the security of the data should be taken. The data should be kept safe from tampering, loss or unlawful processing. It may be required to put technical and organisational processes in place to help deal with this issue.
8. Data must not be transferred outside of the European Economic Area (EEA) without adequate protection
Simply put – data must not be transferred out of the EEA unless the company concerned has the appropriate legal protection in place for individuals and their personal details.
Notifying the Information Commissioner’s Office (ICO)
In addition to abiding by the eight key points of the Data Protection Act, your company may also be required to notify the ICO of your data-related activities.
The act works on the basis that all Data Controllers are required to notify the ICO, however, in some instances this might not be necessary. These exemptions include:
• You only process data for the purposes of staff admin, payroll, advertising, marketing and other PR activities that are only directed to your own business activities.
• The organisation is not-for-profit.
• Data only processed for personal, family of household affairs.
• Data is only processed to maintain a public register.
• No form of computer system is used in the processing of data.
To ensure you are adequately protected you might want to consider buying some form of Professional Indemnity Insurance to cover your company in case of any breach in the act.