Understanding the Data Protection Regulations
The information that your business contains could be its most precious asset. Customer email addresses, personal profiles and buying habits can call be gathered as data.
To ensure that information isn’t abused the Data Protection Act (DPA) was created. The Act itself if far reaching and impacts on most businesses that store personal data about their customers.
It is vital that your business complies with this Act as failure to do so can mean stiff penalties including a fine of £5,000. If you are unsure about any aspect of the Act, you can contact the Data Protection Helpline on: 01625 545745.
Generally speaking your business will only need to fully comply with the basic DPA principles as they are laid out in the Act. However, in some cases your business may have to notify the Information Commissioner’s Office about the data you are holding and how it is being processed.
The definition of what constitutes a requirement for notification is on the Information Commissioner’s website. Alternatively, you can call the Notification Line on: 01625 545740 for further help.
The DPA PrinciplesAt the core of the DPA are a set of principles that have been developed to ensure that all personal data is stored and used within the law. The data principles are that information must be:
- Processed fairly and lawfully in accordance with the DPA
- Processed for a stated purpose and not further manipulated that would contravene any other aspect of the DPA
- Adequate, not excessive and also relevant. This means that the data your business holds must not be overly excessive. Good data protection means holding only the information your business needs to operate
- Held for the shortest possible time
- Accurate and kept as up-to-date as possible. The DPA requires that the information you hold should be accurate to avoid any mistakes or inappropriate use of personal data taking place
- Processed with all the other regulations and rights that govern how information about an individual can be held and manipulated. Regulations attached to this principle include the privacy laws
- Kept secure at all times. It is your businesses responsibility to protect the personal data that is held on its systems from unauthorised access. This can be from within your business, or from outside via malicious computer virus attack, or from infiltration by hackers
- Held in the UK only and not transferred to any business outside of the EU, and Iceland, Norway and Liechtenstein unless adequate security measures are in place to protect the personal data being transferred
Data Protection for BusinessIt is essential that your business fully complies with the DPA principles as outlined above. You should also be aware of a number of other key requirements that the DPA and the Information Commissioner’s Office also require for your business to be fully compliant with the DPA. These additional requirements are outlined below:
- Any information that you hold about an individual must be safe and secure on your systems, but you should inform each person that you are holding data about them, and what this data consists of
- You should also inform each individual that they have a legal right to see the information you are holding about them. This is an important aspect of he DPA as this is how individuals can correct any errors within the data your business is holding. Remember, one of the DPA principles is that the data you hold must be accurate. Chronic misinformation about an individual could lead to a prosecution under the DPA
- How your business may use the personal information it holds and if it intends to exchange that information with other businesses must be clearly communicated to each individual
- You must not use the personal data your business holds for unexpected uses. If you are marketing a new vacuum cleaner for instance using the personal data your business has, it is within the DPA act to send details about spare parts to those people on your database. However, you could not market a completely different product without asking permission of individuals on your database. This is because the purpose of holding their personal data has changed
Generally speaking the DPA principles can be applied in every business easily as they are designed to give a framework about how data about individual is collected, stored and manipulated. Using common sense when interpreting the basic DPA principles is your best cause of action. In most cases any grey areas where the Act and your business could be in conflict can be easily solved with a call to the Data Protection Helpline.