Managing Data on Customers & The Data Protection Act
We look at what small businesses need to know about data protection to make sure you business upholds the requirements
Businesses need to hold a range of information on customers, staff and the business itself. It is essential to ensure that this information is protected and as secure as possible. Any business holding information must also be sure that they are meeting the terms laid out in the Data Protection Act 1998.
Make sure you have an understanding of the Data Protection Act 1998
Make sure you and your staff are aware of the Data Protection Act 1988. The Act governs the collection and storage of personal information and possible systems abuse.
Check whether you need to register
A self-assessment guide explaining whether or not you need to register is on the Information Commissioner’s website. If you are still uncertain check with the Information Commissioner who enforces the Data Protection Act.
Principles of data protection
There are eight principles of data protection and anyone processing personal data must comply with them. These state that data must be:
- fairly and lawfully processed
- used for limited purposes
- adequate, relevant, not excessive
- not kept longer than necessary
- processed in accordance with the data subject’s (eg the customer) rights
- not transferred to countries without adequate protection
A more comprehensive definition of these principles is on website of the Information Commissioner’s Office.
Identify the type of information you need to store and why
You must be clear as to the type of information you wish to store on customers or potential customers and why, eg name, address, any personal details. This includes information taken electronically, eg from e-commerce transactions. Make sure that you take the data protection principles into account when storing customer data.
Look at the format you will use to store information
You need to ensure that any customer information is stored securely. Manual (paper) data is vulnerable to accidents such as fire or flood and, if stored in a basement, can be damaged by rodents, damp or vandals. Electronic information, stored on floppy discs, CD-Roms etc are easily stolen, fire damaged or can corrupt. Practical security should be considered. For example it is pointless storing sensitive documents in a safe if the keys are left lying around or anyone has access to the information stored.
Develop confidentiality procedures to maintain data security
Risk evaluation should be carried out to ensure that security systems are in place to protect data. For example it may be decided not to give out client details over the phone, part of the security system would be in ensuring all staff are aware of this policy.
Establish a retrieval system to access stored information
Storing or archiving all of the business correspondence and documentation can be time consuming and make retrieval difficult, you must have systems in place to manage data storage and retrieval. Make sure there is minimum duplication of customer information between for example the accounts system and a customer database. This helps manage the customer data and comply with data protection law.
Back up or copy essential data
Businesses should always back-up or copy essential data as damage to files can mean the loss of essential information, including data on sales and market predictions or the businesses financial records.
Ensure that staff understand and are trained in managing data
Staff should receive training in the business data protection policies and understand the reasons behind confidentiality procedures.
- Contact the Information Commissioners Office if you have any questions regarding registration requirements under the Data Protection Act.
- Security of information should be treated with the same level of seriousness as that of premises or cash.
- The storage and retrieval system should be monitored to ensure it continues to meet the needs of the business whilst complying with legislation.
- Business Link advisers will be able to help you identify the information you need to retain and how to establish data management systems.
See also our business advice articles on Data Protection Best Practice
This Data Protection information reproduced in accordance with Crown Copyright © 2013.