Small firms unsure of Data Protection obligations
One in four small–businesses owners do not believe their firm is meeting its obligations under the Data Protection Act (DPA), software firm Invu has warned.
All businesses that store people’s personal details, such as customer or employee records, are required to comply with the DPA. The Act also states that individuals have the right to access the personal information that businesses hold about them.
However, the Invu research revealed that a third of small firms failed to realise that the DPA includes all paper–based documents and not just those stored electronically. Invu chief executive David Morgan said:
“The premise of the Data Protection Act is very solid but implementing and managing it is not quite so clear, so it’s little wonder that many SMEs are confused. Small firms often don’t have the time, budget or resources to ensure that they are totally compliant with legislation, so they can often take a ‘head in the sand’ approach.”
Businesses which do not comply with the DPA risk substantial fines from regulating body the Information Commissioners Office (ICO). An ICO spokesperson said.
“We’re constantly working to tackle awareness and encourage good practice by all organisations. We regularly produce guidance and advice to ensure that organisations can comply with Data Protection Act requirements.”
Invu offered businesses the following tips to comply with the DPA:
- Know exactly where your electronic and paper–based data is stored and ensure it is filed correctly.
- Always fulfil requests for a copy of the information your firm holds about people. If you do not recognise or ignore the request, you could face a fine.
- Ensure you have adequate security. If you file your documents electronically, make sure that only authorised people can access confidential files.