What is the Data Protection Act, and how does it affect my business?
This article was originally published by Pitmans LLP in 2015.
The Data Protection Act (DPA) governs the holding and processing of personal data.
‘Personal data’ means information which identifies any living individual or can, with other information held by you, identify any individual.
‘Processing’ of personal data means obtaining, recording or holding the information.
As a business, you will be handling the personal information of your employees, suppliers and / or customers: it is therefore likely that your activities will be caught by the provisions of the DPA. If you are a ‘data controller’ under the Act and fail to notify your organisation to the Information Commissioner, your directors may be criminally liable for failing to do so.
A ‘data controller’ is a person or entity that determines the purposes for which personal data is processed. Under the DPA, personal data must be:
- fairly and lawfully processed;
- processed for specified purposes;
- adequate, relevant and not excessive;
- accurate and, where necessary, kept up to date;
- not kept for longer than is necessary;
- processed in line with the rights of the individual;
- kept secure; and
- not transferred to countries outside the EEA unless the information is adequately protected.
Non-compliance can result in an enforcement notice preventing your business from processing data, effectively preventing many businesses from operating, together with significant fines. Furthermore, the officers of your company, the managers and directors, can be held personally criminally liable for non-compliance.
You should establish a data protection policy in your business to ensure your legal obligations are met.
The policy should take into account the particular personal data needs of the business as well as the way it processes this information. The policy should also address areas where personal and sensitive data (i.e. data relating to race, religion, sexual orientation etc) might inadvertently leak in contravention of your obligation under the law.
The law aside, it also makes good business sense to have a policy as:
- keeping the information you have about your customers secure will help protect your and their information;
- sending out a mailing from incorrect or out-of-date records could not only annoy your customers but also wastes your time and money;
- good information handling can improve your business’s reputation by increasing customer and employee confidence in you; and
- good information handling should also reduce the risk of a complaint being made against you.
Every day individuals contact the Information Commissioner to enquire about the way their information is handled. The Information Commissioner can also be asked to assess whether particular processing is likely or unlikely to comply with the DPA.
What to do now?
- Ensure your organisation is notified with the Information Commissioner;
- Review, or write, your data protection policy;
- Ensure that you hold no more personal data than is necessary for the business activities that you perform;
- Establish procedures for staff to follow when processing personal data. (Important as ‘due diligence’ might be required as a defence in the event of a complaint brought against you);
- Train, and regularly refresh, all your staff in best practice under your policy;
- Put in place contracts with suppliers, and conduct due diligence with suppliers, to assist in the protection of information assets; and
- Check your insurance and evaluate your risks of suffering a security incident.