The Data Protection Act is designed to safeguard consumer data and ensure rights to privacy. We explain what the Data Protection Act covers and how compliance with the Act affects your small business
The Data Protection Act regulates how customers’ personal information is collected, stored and used by companies. First introduced in 1984 as a series of basic rules to protect customer data and the way this information is used and stored, the act was revised in 1998, introducing more regulations for businesses to follow concerning customer data.
What data does the Data Protection Act cover?
Data is defined information held as accessible records stored on a computer or with the intention to be stored on a computer. Examples include health records, educational records, names, addresses, contact information, credit history and criminal convictions. Data is separated into two categories: personal and sensitive.
Personal data is information that can be used to identify an individual, such as name, address, medical information and bank information; sensitive data includes a person’s race, political opinion and religion. The Act puts far more safeguards in place concerning sensitive data – notable a person must be asked directly if this information about them can be held.
Eight principles of the Data Protection Act
Knowing the eight key principles of the Data Protection Act will help you ensure your small business complies with the law. The eight principles are:
1. Information must be collected and used inside the law.
2. You must inform the Information Commissioner your intentions for the data. The data can only be used for the reasons stated and only be shared with people that you have registered – you cannot sell information to a third-party unless you’ve informed the Information Commissioner that this is your intention before collecting data.
3. The information stored must be enough to fit the purpose registered by the Information Commissioner and not any more – you cannot store more customer data than is strictly needed.
4. Information should be up-to-date.
5. Information must not be stored for longer than necessary, and not stored indefinitely.
6. The data must be used in line with the consumers’ rights.
7. Data must be stored away from unauthorized access.
8. Data may not be transferred outside of the EU Economic Area, unless the country has its own safe and adequate data protection law.
What rights does the Data Protection Act give consumers?
The Data Protection Act gives consumers certain rights which every business must comply with. These are:
• The right to access their personal data.
• The right to stop their data being used for marketing, for example for cold calling and email purposes.
• The right to stop their data being used in a way that could cause distress.
• The right to stop automatic decision making with their data.
• The right to compensation for any damages caused from the misuse of their data.
How the Data Protection Act affects small business?
The Data Protection Act applies to almost every UK business, even sole traders. As the owner of a business, you must collect, store and use customer’s personal information only in ways that comply with the Data Protection Act. If you fail to do so, you risk committing an offence and may face a fine of up to £500,000.