The Data Protection Act 1998 regulates the way personal data is handled by businesses and organisations and what rights the subject has to control it.
Any business that obtains, records or holds personal information needs to comply with the eight principles of the Act. Personal information is essentially any information that can identify a living individual and specifically includes opinions about them or outcomes for them.
The data protection principles say that the information must be:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area (without adequate protection for the rights and freedoms of data subjects in relation to the processing of personal data)
The business also needs to register as Data Controllers unless exempt. Data Controllers own and are responsible for data, they decide what information they need and how they will process it. There is a self-assessment questionnaire on the Information Commissioner’s website to help you decide if you need to register, you can access it by following this link which opens in a new window.
Subject access requests and data breaches are also covered in detail, along with security measures to take to protect the data.
There are specific requirements and guidance if you outsource your data handling to a third party data processor requiring suitable diligence and written agreements. If you use CCTV, cloud computing or engage in direct marketing, to name but a few, there is also specific guidance available.
The Information Commissioner is the regulator and can impose substantial penalties for infringements. By way of example, a sole trader was fined £5k in September 2013 and a charity £200K in March 2014.
Data subjects have a right to claim compensation if a company has caused them damage by a breach.
The General Data Protection Regulations will apply from 2018. Many of the main concepts and principles are similar to the Data Protection Act 1998. If you are compliant with this then you will be in a good position to comply with the new law. If you are unsure of where you stand you may be interested in our Data Protection MOT >read more…
However, there are some new elements and significant changes, so you will need to do some new things and some differently. For example there is greater emphasis on documentation to demonstrate accountability. >read more…
How Can Crimson Crab Help?
We offer a variety of solutions to help businesses with their compliance responsibilities>read more…
You may also be interested in F2 Business Huddle – networking with a purpose >read more…