Meeting your Data Protection Act requirements

Are you Being Transparent? –  If you’re processing personal data then you have a legal obligation to be transparent with people about what you are doing with it. You need to tell people why you need it, who will have access to it and how long you will be keeping it for. There are some specific things that you will need to cover also, like telling people the lawful basis of your processing, what rights they have over their data and how to ask for changes or indeed how to make a complaint. The easiest way to do this is with Privacy Statement which you can create on your website. The key to a good privacy statement is to keep it clear, open and honest. If people understand what you are doing, they are less likely to be surprised and therefore less likely to make a complaint that could land you in hot water.

Although you may think that GDPR and the changes to the Data Protection Act are EU legislation and will not apply post Brexit, they are already embedded in UK law and will stay! First it is important to understand that the Data Protection Act only applies to personal information. The official definition of personal information is:

  • Information that relates to an identified or identifiable person who could be identified, directly or indirectly based on the information.

This includes:

  • name
  • an identification number, such as National Insurance or passport number
  • location data, such as home address or mobile phone GPS data
  • an online identifier, such as IP or email address.

Sensitive personal data is also covered as special categories of personal data. If you are processing Children’s data there are some additional rules to follow depending on the age group. The special categories specifically include:

  • genetic data relating to the inherited or acquired genetic characteristics which give unique information about a persons physiology or the health of that natural person
  • biometric data for the purpose of uniquely identifying a natural person, including facial images and fingerprints
  • data concerning health which reveals information about your health status, including both physical and mental health and the provision of health care services
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • sex life or sexual orientation.

Business e-mails are covered by the Act as long as they are not generic. For example, is not classed as personal information, but is.

So, your first step is to check if you collect any data listed above from or about your customers. If you do, the Act requires you to make sure that the information is:

  • adequate, relevant and not excessive. This can be followed easily by only taking the data you really need. You must be clear as to the type of information you wish to store on customers or potential customers and why, e.g. name, address, any personal details. This includes information taken electronically, e.g. from e-commerce transactions. Make sure that you take the data protection principles into account when storing customer data.
  • processed fairly and lawfully. In practice, this means you should not mislead, coerce, or bribe your customers into giving away their personal data. This condition requires you to be clear about what data you are collecting, why you are collecting it, and what it should be used for. Most businesses take care of this by making customers sign or tick what’s generally known as a ‘privacy notice’. The ICO has produced a helpful checklist on the Data Protection Act, specifically produced for small businesses, which contains guidance on how you can draft a privacy notice. The first principle also requires you to meet at least one of the ‘conditions for processing’ when using personal information in any way. If you have a good reason for using information it’s rare that this will not be the case, but you should briefly read the principles on the ICO website to give yourself an overview all the same. More restrictive conditions also apply to ‘sensitive’ personal information, such as information on a person’s religious beliefs or sexual orientation.
  • obtained only for one or more specified and lawful purposes, and not further processed in any manner incompatible with that purpose or those purposes. Essentially, it must be made clear to the user/customer/potential customer at the start what your business will be using the data for and why it is being collected. Any new purpose you use the data for should be broadly in line with the original purpose. So, for example, if you run a courier business, you should not start using your customers’ addresses to send them unsolicited marketing material.
  • accurate and up to date. In practice this means that you need to give customers the option to confirm the data you hold is correct on a regular basis.
  • processed in accordance with the rights of data subjects under the Data Protection Act. Customers have a right to access a complete copy of the information you hold on them, under something known as a subject access request. Other rights they have include a right to stop your business doing anything that may cause them damage or distress, a right to stop you using their information for direct marketing, and a right to claim compensation caused by breaking Data Protection Act regulations.
  • kept for no longer than is necessary. Be sure to securely delete/dispose of the data when you no longer need it.
  • secure (ie measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data). You must keep any personal data you hold secure and it cannot be compromised, accidentally or deliberately. The Act says you should have security that is ‘appropriate’ to both the nature of the information, and the harm that may result from its improper use. This does not necessarily mean having state-of-the-art military grade security software, but the measures you take should be in line with the risk to your company. It is important to remember that the IT security solution you choose is not the end of the story, either. Just as important is which of your employees can access the information and what they can do with it. Keep as much data restricted as possible and only authorise the people you need to – do not go giving the office intern access to your customers’ credit card details.
  • Personal data shall not be transferred to a country or territory outside the EEA (European Economic Area) unless that country or territory ensures an adequate level of protection. This is particularly relevant if you are a hosting or cloud-based storage company, which may store large amounts of data overseas. You should keep personal details within Europe at all costs as the number of countries considered as having an ‘adequate’ level of protection is actually quite limited; the European Commission has listed only 10 countries, of which the USA is not one (although sending data to companies operating under the voluntary ‘Safe Harbor’ arrangement is considered acceptable).

You should also check if you need to register on the ICO website. The ICO’s registration page can be found here. It takes around 15 minutes to complete and needs completing in one sitting. You will then be asked for payment – for the majority of businesses this will be an annual charge of £35. This only goes up to £500 if you are a large business with a turnover of more than £25.9m and 249 members of staff or more.

If you breach the Data Protection Act:

The ICO has the power to issue extremely heavy penalties to companies not abiding by the legal requirements for storing business information– it can issue penalty notices of up to £17.5 Million or 4% of annual global turnover- which ever is the greater and undertake criminal prosecutions for the most serious offenders.

In practice, though, unless you maliciously breach the Act or deal incompetently with personal information, it is rare that such heavy penalties will be imposed. The Department of Justice in Northern Ireland was fined after it sold a filing cabinet containing the details of a terrorist incident at auction, which should give you an idea of the kind of incident the ICO deems worthy of a more serious penalty.

The vast majority of incidents are dealt with by what is known as an enforcement notice, in which the ICO contacts the offending company and requires them to take specific steps to comply, usually by simply stopping whatever they are doing.

So what if the unthinkable happens and personal data you hold is lost or stolen? You should have a plan in place for dealing with such an incident and limit the damage if anything happens. You should also notify the ICO immediately.

If you have an accountant, they should be your first stop for business advice. If you don’t have an accountant or they can’t help, BuBul has a wide range of experts available. For more business advice why not follow BuBul on LinkedIn?