Data Protection Act: A Beginner's Guide For New Businesses
For many new business owners, it can be a little overwhelming just how many rules and regulations you need to comply with. And it’s also probably a little scary when you see the ramifications of not complying with them.
But all this legislation is there for a reason. It protects you, your company, your staff and your customers, so it really is in everyone’s best interest.
One such incredibly important piece of legislation is the Data Protection Act (DPA). This regulates how organisations use ‘personal data’. Now, what exactly is meant by personal data? For the most part, this should be fairly obvious, but there are certain things you might not realise are actually covered by the DPA.
The Information Commissioner’s Office is the UK’s independent body that oversees DPA compliance, and they have put together a comprehensive guide as to what classes as ‘personal data’.
Setting up a data protection policy
One of the first things you should do is set up a policy relating to data protection within your business. It should clearly explain all procedures relating to personal data, including how compliance will be monitored. This should be circulated to all staff and regularly kept up to date.
Get Safe Online is a good place to start when creating a data protection policy.
It’s also a good idea to appoint someone in your business responsible for implementing and monitoring data protection policy. This way, there is one individual driving policy and compliance forward who acts as a central contact for anyone with queries about data protection.
This person should also provide education and training to employees throughout the business. Whether that’s run by the company or by an external party is up to them, but it’s essential all staff are clued up about data protection policy and how to stay compliant.
It’s always best to think about data protection as early on as possible when setting up a business or in any project you’re involved in. Effective planning will reduce the chances of a breach later on.
Note: You will need to register with the ICO to state the types of personal data you hold and why you need it, unless you’re exempt. You’ll need to update this annually. You can do all that here.
If you’re asking for anyone’s personal data, whether that’s a customer, member of staff or the public, you need to tell them why you want it and what you intend to do with it, including any disclosures. This should be clearly explained on websites and any forms people are filling in.
If you intend on changing how you use this data, you should get prior consent.
If you hold personal data about someone, they have the right to request access and obtain a copy of this information. A process should be put in place to deal with these access requests so they are processed correctly and efficiently.
Data Quality and Accuracy
As you’d expect, it’s essential that all data held about an individual is relevant and accurate. What this means in practice is that you should only collect the minimum amount of data you need and only for the purposes outlined in your privacy notices. If there isn’t a legitimate reason why you need certain pieces of data, then you shouldn’t be collecting it.
All data you keep should be as accurate as possible and up to date. If any of the data is inaccurate then you could be in breach of The Act. Ensure reasonable steps are made to ensure data is updated and accurate - the more important the data, the more vigilant you need to be about making sure it’s accurate.
You can find out more about data accuracy here.
Retaining and Disposing Data
It’s important that when you no longer need a person’s data, you dispose of it properly. Keeping hold of data when it’s surplus to requirements would be a breach of The Act. You must make sure it is disposed of properly so that the data can no longer be accessed. For example, if you need to discard a USB stick or memory card containing personal data, you should wipe the hard drive or even destroy it.
Ensure the relevant security measures are in place
Once you’ve collected people’s data, you need to make sure it’s safe. This could mean locking files away in a cabinet or encrypting them on a computer so they’re not easily accessible.
Password protection, firewalls, anti-virus software - it’s all important to keep that data safe from those unauthorised to access it.
We wrote in detail about why cybersecurity is so important for businesses.
If you outsource any personal data you hold, then you need to be careful about who it goes to. First of all, you will still remain responsible for that data, so if a third party misuses it, you’re still liable. You must only work with companies that provide adequate assurances about how data will be held, processed and protected.
If you want more information about outsourcing, this guide will help.
Examples of Data Protection Breaches
There are many ways in which you can be in breach of the Data Protection Act, but here are just a selection of examples. All these are actual genuine breaches by local authorities, obtained through Freedom of Information requests:
- Address logged incorrectly resulting in letter being posted to the wrong address
- Personal data disclosed in error via email
- Bill sent to previous address in error
- Information shared with third party without consent
- Providing personal details to a family member without consent
- Emails sent out to a number of personal email addresses without using BCC function
- Loss of a laptop containing personal data
- Email sent to correct person but was not encrypted
- Data left in an unsecure area during an office move
Here were the most common types of data protection breaches between October and December 2015:
And here are the data protection breaches broken down by sector for the same period...
You’ve breached the Data Protection Act. Now what?
There is actually no legal obligation to data protection breaches. However, the ICO believe that serious breaches should be reported to them. If an incident isn’t reported, it could make matters much worse should it be discovered at a later date.
Notifying the relevant parties of serious breaches, whether that’s the ICO or the subject of the breach itself is important and should be part of a company’s data protection policy.
However, the ICO warns against ‘over-notifying’, stating that there is no need to report every single breach if you would not class them as serious. Their example is that you wouldn’t necessarily need to contact an email database of 2 million people over something that only affected a specific couple of hundred of them.
Certain organisations do require all breaches to be reported to the ICO. For example, the Department of Health requires any organisation dealing with health and adult social care personal data to use a self-reporting tool that notifies the ICO of the breach and its details.
This guide gives more information on whether you need to report a data protection breach or not.
Penalties for breaching the Data Protection Act
If the ICO finds that you have breached the Data Protection Act, they have a number of options. For less serious breaches, they will more than likely require the company to review procedures and introduce new policies to ensure such breaches are kept to a minimum in the future.
However, for serious DPA breaches, the ramifications can be incredibly serious. The ICO have the power to impose fines of up to £500,000 or even instigate legal proceedings against a person or company, which may result in a prison sentence.
There are various other indirect consequences of a breach, such as a loss of customer or client trust.
For example, in January 2016, a former employee of Enterprise Rent-A-Car was found guilty of selling personal data to another person. This is a criminal offence under section 55 of the Data Protection Act. The guilty party was fined £1,000, ordered to pay a victim surcharge of £100 and legal costs of over £850.
You can see all the action taken by the ICO here.
This is only a fraction of the information available about the Data Protection Act, but hopefully it’s a start for you. Check out the ICO’s Self Assessment Toolkit to learn more.