What you need to know about data protection law

31 October 2011

Email article : Print article : More articles like this

Your business data is one of the most valuable assets your business owns, but with it comes great responsibility. If you collect data on clients, employees or suppliers – whether it's on paper, in databases or online – the Data Protection Act 1998 applies to you. This article explains the basics of the act and your obligations.

Personal privacy is important to us all, yet we entrust our data, including name, address, date of birth and bank details, to numerous organisations on a daily basis. With fraud and identity theft of the increase, keeping your data – and that of your customers, employees and suppliers – has never been more important.

The Data Protection Act provides a legal framework to which anyone who collects data (known as a ‘data controller') needs to adhere to.

Any information that is held must be handled appropriately. The Information Commissioners Office (ICO) has set out eight guiding principles that businesses must follow.

Data must be:

Fairly and lawfully processed
Processed for specific purposes
Adequate, relevant and not excessive
Accurate and kept up to date
Not kept for longer than is necessary
Processed in line with an individual's rights
Kept secure
Not transferred to other countries outside the European Economic Area.

The Data Protection Act also allows individuals to know what information is being held about them. They can do this by making a ‘subject access request'.

If someone feels that their data is not being managed according to these principles then they can contact the ICO, which may result in your business being investigated and fines being levied.

Last year the ICO was given the power to fine businesses up to £500,000 for breaches of the Data Protection Act.

Do I need to register with the ICO?

The Data Protection Act requires every data controller processing personal data to notify the ICO. Failure to notify is a criminal offence.

Notification is an annual occurrence and costs £35 per year.

Who is exempt?

Your business may be exempt if you only process personal data for core business purposes such as your own marketing and PR, payroll, or invoicing.

Follow the ICO's self-assessment guide to find out if your business needs to register, or call their helpline on 01625 545745. They also provide a checklist for small businesses.

What should I do if someone makes a request?

Individuals have a right to see the personal data that an organisation holds on them, and the right to have it corrected if it is wrong.

As a data controller, you may be sent a ‘subject access request', which is a request to show an individual what personal data you hold on them. If you receive such a request, you must:

respond to it within 40 days
provide a copy and a description of the data you hold on them
advise who the source of the data was
give information on how the data is processed
give information on which other people or organisations it may have been disclosed to.

You can charge a fee of up to £10 to cover the cost of handling a request.

Who is responsible?

It is not only you, the business owner or manager, who needs to know about your data protection responsibilities. You should make sure that any staff you employ are also aware. Some 80% of security incidents involve staff there is a clear need for all workers to have a basic understanding of the Data Protection Act. Find more information on training staff from the ICO.

Benefits your business

Although there is a legal obligation on your small business to comply with the Data Protection Act, there are also benefits to your business:

By keeping your data up to date, you will only send marketing emails and direct marketing campaigns to the most relevant customers and prospects, which will save you time and money.
By protecting the information you hold about others, you will not only earn a reputation as a trustworthy business, but you'll prevent a potentially time consuming and costly investigation and other legal consequences should your data fall into the wrong hands.

If you are in doubt, you should seek advice from the Information Commissioner's Office, or from an independent legal professional.