All UK businesses must comply with the Data Protection Act or face hefty fines and even a criminal conviction. Learn how your business can comply with the Data Protection Act.
The Data Protection Act is designed to protect the consumer data held by companies. As a business, you’ll need to ensure you’ve a data strategy in place in order to comply with this legislation. This applies to any business that stores customer data digitally – even sole traders. If you collect and store data, you’re considered a ‘Data Controller’. You must register with the Information Commissioner’s Office, via an online process and for small businesses this will cost £35 every year. There are eight key principles within the Act that your business must comply with.
1. Data must be collected and used fairly and within the law
When collecting consumer data, you must provide them with your business’ details and the intended use of their data. It must be obvious how an individual can access and change the data stored, and you cannot misguide or lie to your customers. Customers must be made aware of the data you collect and what it will be used for, and you can do so by allowing customers to view and sign a data protection policy. Images captured on CCTV are included in the Data Protection Act and so notices should be displayed if you use CCTV on your premises.
2. Data can only be used the way it is registered with the Information Commissioner
You must inform the Information Commissioner about the intended use of the stored data. Therefore, you cannot sell customer data unless you previously told the Information Commissioner that this was your purpose in collecting it. Purposes must be reasonable and lawful.
3. The information held must be adequate for its purpose
You cannot hold more data than your intention deems necessary – only take the data you directly need to use. You’re not allowed to collect data that is not directly relevant to your use.
4. The information must be up-to-date
Regularly confirm with your customers their data is accurate. Update where necessary, for example if your customer changes their address or phone number. You may want to enable consumers to update their own information manually online. A consumer can ask you to correct their information and can get a court order if you fail to do so. You may have to pay compensation if the court requires changes.
5. Data must not be stored longer than needed
You cannot store data indefinitely. Ensure the information is destroyed once it is no longer needed, and inform customers when you’ve done so.
6. Data must be used in line with the rights set out in the Data Protection Act
The Act gives consumers several rights:
• The right to access their personal data – you may wish to create an online log-in system so people can view their own data. If a consumer asks to see their information, called a ‘subject access request’, you have 40 days to show them and you can charge a fee (maximum £10).
• The right to stop their data being used for marketing such as cold calling and junk mail – you cannot use data for marketing purposes if the customer has refused. You may want to allow an opt-in or opt-out option, for example “tick this box if you don’t want to be contacted by other suppliers”.
• The right to stop their data being used in a way that could cause distress.
• The right to stop automatic decision making with their data.
• The right to compensation for any damages caused from the misuse of their data.
Train staff under the policy and establish a procedure to follow when using data – this is deemed “due diligence” and is useful as a defence against a court case concerning misused data.
7. The information must be safe and stored away from unauthorized access
You must keep your information safe. The data cannot be compromised, lost or stolen. Prevent hackers from accessing your data files by setting up firewalls in your network and using date encryption. Ensure only authorized members of staff have access to the data. Keep information as restricted as possible. Generally, as few staff as possible should have access to the files.
8. Data must not be transferred outside the European Economic Area unless the country has its own safe data protection law
This may be applicable if you host online servers or a cloud-based storage. The European Commission listed 11 other countries with a sufficient data protection laws; Andorra, Argentina, Canada, Faroe Island, Guernsey, Isle of Man, Israel, Jersey, Switzerland, Uruguay and New Zealand. Note this does not include the USA, but sending data to businesses that conduct under the ‘Safe Harbor’ agreement is allowed.