Data Protection Act: How can your business comply with the law?
A comprehensive guide on how the Data Protection Act affects small businesses, the key principles to apply and upcoming changes to the law
‘Data protection’ can be an intimidating phrase for a small business owner like you, conjuring images of wordy, hard-to-understand legislation.
And so business owners think the law is limited to digital businesses or corporations which use information as a commodity, such as data analytics or major supermarkets.
While we don’t want to scaremonger, don’t be fooled into thinking it doesn’t apply to you.
- Data protection applies to virtually every business, including sole traders
- Customer information – names, addresses, photographs, card details and phone numbers – is all subject to the law on data protection
- Failing to obey data regulations could lead to fines of up to £500,000 or even prison
Essentially, if you run any kind of business with customers, from a retail or logistics business to a day nursery, it’s likely you will store other people’s personal information in some way and therefore have to comply with the legal requirements for storing business information. It is essential to ensure this information is protected and as secure as possible.
Data protection is governed by a law called the Data Protection Act 1998, which contains all your obligations as a business. It is vitally important to obey data protection regulations, as the Information Commissioner’s Office (ICO), the body which is responsible for enforcing the Act, has significant powers to crack down on non-compliance.
With the threat of major fines or prison, data protection is clearly no joke, so it pays for you and your business to be informed.
The Data Protection Act is a long piece of legislation, and contains lots of small print, exemptions and conditions, so you could be forgiven for wondering where to start with it as a business.
Never fear, though; we have put together a list of frequently-asked questions about data protection along with answers that should cover all you need to know about your obligations as a business.
What is the Data Protection Act?
The Data Protection Act 1998 is the piece of legislation that governs how personal information is used by organisations, businesses or the government. If you store or process personal data in certain ways, the Act considers you a ‘data controller’, which means you must register with the Information Commissioner’s Office and abide by strict guidelines when using personal data.
What type of business does the Data Protection Act affect?
The Data Protection Act is really wide-ranging. It is not limited to a specific kind of business, or even business in general – even private individuals can be bound by its regulations if they use data in certain ways.
So a retail business that stores customer addresses as part of a loyalty scheme would need to adhere to the Data Protection Act rules, as well as a day nursery that keeps records of the children in its care – to give just two examples.
The Act only applies if you put or intend to put this information on a computer in some way, though – so if you’re one of the very few businesses that doesn’t use a computer to store information, then it won’t apply to you.
How do you register with the Information Commissioner’s Office as a ‘data controller’?
The ICO’s registration page can be found here. It takes around 15 minutes to complete and needs completing in one sitting.
You will then be asked for payment – for the majority of businesses this will be an annual charge of £35. This only goes up to £500 if you are a large business with a turnover of more than £25.9m and 249 members of staff or more.
Who is exempt from the Data Protection Act?
However, there are a number of important exceptions to this rule.
You don’t need to register if you’re using data for purely domestic or private purposes, such as keeping an address book or a phone contacts list of your friends and family. The Data Protection Act isn’t for people uploading their holiday snaps to Facebook. It’s also not for you if:
- Your business stores personal information for internal day-to-day business activity, such as staff payroll
- Your business uses personal information for advertising, marketing and PR activity in relation to your own business – providing you have obtained this personal information legally and consent has been given
- You run a small not-for-profit organisation – like a club, voluntary organisation or small charity – and you use the data only in connection with running the organisation (more detail on this can be found here)
If you’re still not sure whether you need to register, a self-assessment guide explaining whether or not you need to register is on the Information Commissioner’s website, which asks you a number of simple yes/no questions – it shouldn’t take more than five minutes to complete.
It is vitally important that you find out whether you need to register as soon as you can, as failing to register is a criminal offence.
What happens after I’ve registered?
After registration, your business appears on a publicly-searchable database of data controllers on the ICO website, meaning consumers can see the nature of your business and what you intend to use personal data for.
As a registered data controller, whenever you store or use personal information you must abide by a set of eight principles, outlined in the Data Protection Act. This might seem like a lot to take in at first, but the principles have been drafted to stop companies misusing data for harmful or malicious purposes, and are intended to speak for themselves.
Generally, if you are open with customers about what data you are taking and what you will use it for, and you use the information you collect only for those purposes, it is rare you will fall foul of the Act’s principles.
What do I need to do to comply with the Data Protection Act?
In order to stay within the law once you’ve registered, you need to comply with the eight principles for the storage and use of data outlined in the Data Protection Act.
Below you will find the eight principles, with links to ICO guidance on each. Again, they are intended to be self-explanatory, but we have put together tips to make sure you understand and stay within each one where there are hidden nuances.
Principles of data protection
There are eight principles of data protection and anyone processing personal data must comply with them. These state that:
- Data must be processed fairly and lawfullyIn practice, this means you shouldn’t mislead, coerce, or bribe your customers into giving away their personal data. This condition requires you to be clear about what data you are collecting, why you are collecting it, and what it should be used for.Most businesses take care of this by making customers sign or tick what’s generally known as a ‘privacy notice’. The ICO has produced a helpful checklist on the Data Protection Act, specifically produced for small businesses, which contains guidance on how you can draft a privacy notice.
The first principle also requires you to meet at least one of the ‘conditions for processing’ when using personal information in any way. If you have a good reason for using information it’s rare that this won’t be the case, but you should briefly read the principles on the ICO website to give yourself an overview all the same. More restrictive conditions also apply to ‘sensitive’ personal information, such as information on a person’s religious beliefs or sexual orientation.
- Data must only be obtained for specified and lawful purposes, and processed in a manner which is compatible with those purposesEssentially, it must be made clear to the user/customer/potential customer at the start what your business will be using the data for and why it is being collected. Any new purpose you use the data for should be broadly in line with the original purpose. So, for example, if you run a courier business, you shouldn’t start using your customers’ addresses to send them unsolicited marketing material.
- Data must be adequate, relevant and not excessive in relation to the purpose for which it is processedFairly self-explanatory, and can be followed easily by only taking the data you really need. You must be clear as to the type of information you wish to store on customers or potential customers and why, e.g. name, address, any personal details. This includes information taken electronically, e.g. from e-commerce transactions. Make sure that you take the data protection principles into account when storing customer data.
- Personal data shall be accurate, and where necessary, kept up-to-date.Again, this principle more or less speaks for itself.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposesBe sure to securely delete/dispose of the data when you no longer need it.
- Personal data shall be processed in accordance with the rights of data subjects under this ActCustomers have a right to access a complete copy of the information you hold on them, under something known as a subject access request. Other rights they have include a right to stop your business doing anything that may cause them damage or distress, a right to stop you using their information for direct marketing, and a right to claim compensation caused by breaking Data Protection Act regulations.
- Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of or damage to personal data.You must keep any personal data you hold secure and it cannot be compromised, accidentally or deliberately. The Act says you should have security that is ‘appropriate’ to both the nature of the information, and the harm that may result from its improper use. This doesn’t necessarily mean having state-of-the-art military grade security software, but the measures you take should be in line with the risk to your company.It’s important to remember that the IT security solution you choose isn’t the end of the story, either. Just as important is which of your employees can access the information and what they can do with it. Keep as much data restricted as possible and only authorise the people you need to – don’t go giving the office intern access to your customers’ credit card details.
- Personal data shall not be transferred to a country or territory outside the EEA (European Economic Area) unless that country or territory ensures an adequate level of protectionThis is particularly relevant if you are a hosting or cloud-based storage company, which may store large amounts of data overseas. You should keep personal details within Europe at all costs as the number of countries considered as having an ‘adequate’ level of protection is actually quite limited; the European Commission has listed only 10 countries, of which the USA is not one (although sending data to companies operating under the voluntary ‘Safe Harbor’ arrangement is considered acceptable).
What will happen if I don’t comply with the Data Protection Act?
The ICO has the power to issue extremely heavy penalties to companies not abiding by the legal requirements for storing business information– it can issue penalty notices of up to £500,000, and undertake criminal prosecutions for the most serious offenders.
In practice, though, unless you maliciously breach the Act or deal incompetently with personal information, it is rare that such heavy penalties will be imposed. The Department of Justice in Northern Ireland was fined after it sold a filing cabinet containing the details of a terrorist incident at auction, which should give you an idea of the kind of incident the ICO deems worthy of a more serious penalty.
The vast majority of incidents are dealt with by what’s known as an enforcement notice, in which the ICO contacts the offending company and requires them to take specific steps to comply, usually by simply stopping whatever they are doing.
So what if the unthinkable happens and personal data you hold is lost or stolen? You should have a plan in place for dealing with such an incident, and limit the damage if anything happens. You should also notify the ICO immediately
What happens if someone asks to see the personal information I hold?
This is the most important right the people you hold data on have under the Act, and is known as a ‘subject access request’. A person can ask you to tell them about any personal information you have on them, and in most cases, you must respond to this request with a copy of the information you hold within 40 days.
The ICO has prepared an online checklist for businesses, containing a step-by-step guide to what you should do when you receive a subject access request. You are allowed to charge a fee for providing people with a copy of their information, up to a maximum of £10.
In some situations you don’t need to comply with a subject access request. The most important exception deals with confidential management planning information you hold on a person, usually a member of staff.
As an example, you may be planning a number of redundancies when one of your employees makes a subject access request, and in this situation you don’t need to comply – as by doing so they may find out about your planned redundancies and cause disruption to your business.
Another exception comes when you provide an employer’s reference for a former employee, or you are negotiating with someone (for example, agreeing a salary for a member of staff you are taking on), and using their personal data as part of that. If you have any queries about this aspect of data protection, it may be worth speaking to an HR consultant (you can get an idea of HR outsourcing costs on our page here).
Can I send marketing emails to my customers I have details on?
Yes – as long as you obey the principle that any use of personal information should be in line with the original purpose for which it was collected, or you have informed your customers that they may receive marketing emails from you before they consented to giving you their details.
The same principle applies when giving out customer details to third parties, or buying in third-party email lists. Ensure the people whose information is being used have consented to this use, and specifically to their information being given out to marketing partners for advertising purposes. If in doubt, refer back to the eight principles.
The law is changing: When will the new data protection laws come in
As you might expect, data protection is a rapidly evolving field, and the law is set to change. In May 2018, the Data Protection Act (DPA) will be replaced by the EU’s General Data Protection Regulation (GDPR). This new Europe-wide legislation will be the largest single change in data protection law since the original EU Data Protection Directive, and is aimed at bringing different EU states’ data protection laws in line with each other.
Despite our upcoming Brexit, the government has confirmed the UK will adhere to the new laws and regulations.
What does the General Data Protection Regulation mean for small businesses?
The ICO is still working on expanding its information on the GDPR but there are a number of major changes that will affect small businesses.
One single regulator: If you hold data across several different member states, the new law will aim to simplify matters by holding you accountable to just one data protection regulator, which will supervise your activity across all member states. This is likely to be in the country in which you make the major decisions about data processing – so if you run a UK business, this will almost certainly be the ICO.
Accountability and review: The new regulations are likely to require you to take greater steps to improve your accountability as a data processor. This will mean establishing a culture of constantly monitoring and reviewing your data protection procedures to ensure you only ever use as much data as is necessary. Some companies that use a large amount of data are already limiting employees’ access to customer data to tighten up their procedures ahead of the new law coming in.
Duty to inform the regulator if there has been a breach: The new law will impose a legal requirement on you to notify your regulator if there has been any breach of data security, and sometimes to the individuals whose data has been compromised. It’s not clear how far this particular provision will go yet, although there are proposals to waive the duty to inform if the data compromised has been rendered ‘unintelligible’ (in practice, this will mean encrypted).
Consent: The current law doesn’t require you to seek consent from the people you hold data on in the vast majority of circumstances. However, the new regulations will require you to seek consent from someone you plan to hold data on if there is a “significant imbalance” in power between the two of you (such as the relationship between employer and employee). Additionally, if you use personal data for marketing purposes, you will need to offer a very clear avenue for the person concerned to object to it.
Right to be forgotten: You may have heard about this one in the news; essentially, the ‘right to be forgotten’ allows you to legally request the deletion of photos and other data personal to you that you wish to be removed from the public domain. The new law will allow someone to legally demand that you delete information you hold on them, but only where there is “no legitimate reason” for you to hold on to that data. The burden of proof will be on you as the data processor to show that your use of the data is legitimate, so you should look at whether your current practices are demonstrably within the law.