A Small Business Guide to Data Protection Compliance
Read our guide on data protection and ensure you comply with the law
The essential information about data protection compliance
- Your Responsibilities
With data protection compliance you have a number of responsibilities…
A list of data protection terms
Frequently Asked Questions (FAQs) about data protection
- Rules & Regulations
The rules and regulations governing data protection
The law requires personal data to be collected and used in such a way that individuals’ personal details are protected. To comply with the Data Protection Act 1998 (the Act) a business must follow the eight data protection principles when handling personal data. When your business handles personal information the principles require the data to be:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than is necessary;
- processed in line with the rights of the data subject;
- kept secure; and
- not transferred to other countries without adequate protection.
Read Your Responsibilities (below) for guidance on complying with each of the eight principles.
The Information Commissioner’s Office (ICO) is an independent public body set up to enforce and oversee the Data Protection Act. The ICO’s aim is to protect personal information and promote public access to official information. Failure to comply with the data protection principles is a breach of the Act and could lead to a business being investigated by the ICO. Businesses must notify the ICO about their information-processing activities.
You should consider appointing a data protection officer with overall responsibility for ensuring compliance with these principles and the Act in general throughout your business. Although this isn’t specifically required by the Act, it represents best practice and it’s an efficient way of ensuring that data protection laws are complied with throughout your commercial operations.
For detailed information on the eight data protection principles, see Rules and Regulations below.
To ensure you treat all data subjects fairly and consistently and comply with the law, it is important that the business acts in accordance with the eight data protection principles below.
The list is not exhaustive, because what is necessary will depend on the nature of your operations and how you deal with personal data within your business.
- Process personal data fairly and lawfully
- Use data only for the purposes agreed
- Collect and store only data that is adequate, relevant, and not excessive
- Keep data accurate and up to date
- Keep data only as long as necessary
- Process data in line with the data subject’s rights
- Keep personal data secure
- Do not transfer data to countries without adequate protection
- Penalties for failing to comply with the data protection principles
This is the first data protection principle. You must let the data subject know what you will be doing with their data and why, before you actually start processing it. The key questions to ask yourself are:
- do the people whose information we hold know that we have got it, and do they understand what it will be used for?
- if we pass on personal information to a third party, has the data subject been made aware of this?
Many organisations provide their customers with a ‘fair collection’ or privacy notice at the start of their relationship. This is basically a written statement of what types of information the business will collect about them, why they need it and what they will do with it. Fair collection notices are the best way of fulfilling your legal obligations under the first data protection principle. The level of detail to be included will depend on what type of personal data your business handles and what you do with it. Speak to your lawyer if you are in any doubt about what to include.
The Information Commissioner’s Office (ICO) has published a code of practice on privacy notices, intended to help you provide more user-friendly notices. It gives advice on drafting notices and how they can be provided, including examples of good and bad practice in this area. You can find the code on the ICO website.
Special conditions apply when processing sensitive personal data and you must meet at least one of the conditions to comply with the Act. The best way to do this is to obtain the explicit consent of the data subject before dealing with this type of information. This means fully disclosing to them exactly what you will be doing with the data and why. This enables them to make an informed decision as to whether to give their consent to the processing. It’s always advisable to obtain this consent in writing.
If your business passes personal information (whether sensitive or not) to third parties, you should look at the ICO code of practice on data sharing, which can be accessed on their website. The code gives helpful guidance for data controllers who are involved in the sharing of personal data with third parties (for example a retailer providing customer details to a payment processing company), and will help to identify the issues to be considered when deciding whether to share personal data.
If you are not able to obtain the express consent of the data subject, you will need to meet one of the other conditions that apply to the processing of sensitive personal data. These are listed in the Data Protection Act 1998 and can be found in Rules and Regulations.
If you fail to process personal or sensitive personal data fairly and lawfully your business may be subject to a penalty, see the Penalties for failing to comply with the data protection principles section below.
Personal data that you hold may, in the normal course of events, be used for a number of purposes. However, the Act makes it clear that use must adhere strictly to the purposes that the data subject has agreed.
So, for example, if your fair collection notice or privacy notice states that you will use the customer’s personal data for account administration purposes and for credit checking, it would not be acceptable to then use their information for marketing or research purposes.
If your use of personal data changes during the course of your relationship with the data subject, you must let them know about the change before it takes place.
If you use personal data for a purpose that was not agreed by the data subject your business may be subject to a penalty, see the Penalties for failing to comply with the data protection principles section below.
You should only obtain personal data that is relevant for the required purposes. Avoid compiling too much information. Focus on obtaining sufficient information for the proper performance of the function you are trying to achieve.
The key questions to ask yourself here are:
- does the business really need the information we’re asking for?
- do we know what we are going to use it for?
For example, you should not ask a customer to provide their date of birth if you have no identifiable business requirement for that information.
You must take reasonable steps to ensure the accuracy of the personal data you hold. Ask the data subject to confirm it’s accurate when you first obtain it and, if they let you know about any errors or changes to their data, make the necessary corrections immediately. If there are long intervals between your dealings with the data subject, ask them to check their personal details when you next have contact with them.
You should have a data retention policy in place to make sure that personal data is not kept for any longer than is needed and that it is securely deleted or destroyed as soon as it’s no longer required.
Bear in mind that you may well need to retain data for a period of time after your relationship with the individual has ceased, for example to defend potential legal claims and for taxation purposes. The crucial factor is to be able to justify why you are holding on to the information, as it is not acceptable to retain it ‘just in case’.
How long you retain personal data is likely to depend on:
- what the information is used for;
- the surrounding circumstances, eg, when the relationship with the customer has ended;
- legal or regulatory requirements; and
- agreed industry practice.
You can find guidance for businesses on deleting data on the ICO website.
The data subject has the right:
- of access to their personal data.
- to have inaccurate information about them corrected or deleted;
- to ask a data controller not to process information about them if the processing will cause them substantial unwarranted damage or distress;
- to prevent unsolicited marketing; and
- to prevent automated decision making (for example, a computer-generated decision where there is no human involvement in the decision-making process).
You must ensure that your internal procedures are adequate to satisfy these requirements. A key element of this will be providing staff with proper training about the Act and how they should deal with personal data.
The Act requires businesses to put in place security measures to protect the personal data they hold from unauthorised use, or from being accidentally lost or destroyed.
The eighth principle states that personal data must not be transferred to a country outside the European Economic Area (EEA), unless that country ensures an adequate level of protection for:
- the information itself; and
- the rights of data subjects in relation to processing of personal data.
The safest course of action to take before transferring any data overseas (whether or not the transfer is made within the EEA) is to obtain the data subject’s informed consent to the transfer taking place. You should do this whenever it is practicable to do so, as this will secure you exemption from the eighth principle.
You must make sure that the individual knows and has understood what they are agreeing to, so you will need to specify:
- the reasons for the transfer;
- exactly what personal data is being transferred; and
- the countries involved (as far as this is possible).
If you are aware of any specific risks involved in the transfer, you must disclose these to the data subject.
The Act also provides some other limited exemptions to the eighth principle. However, it is recommended that you speak with your lawyer, as the law is complicated in this area and the consequence of getting it wrong is that you could end up making an illegal transfer of data.
For any transfer of data abroad (regardless of the destination country), you must ensure that you have an appropriate contract in place with the recipient of the data to ensure that protection of personal data is covered. The contract should be entered into before any transfer takes place. You can find model contracts for this purpose on the European Commission website.
Failure to comply with the data protection principles is a breach of the Act, and could lead to an investigation by the Information Commissioner’s Office (ICO). The ICO can inspect a data controller’s compliance with the eight principles using an information notice, which can require the data controller to provide specified information within a stated timescale. The ICO can also put in place warrants for entry and inspection into business premises. It is a criminal offence to obstruct, or fail to assist someone executing such a warrant.
Ultimately, an investigation could result in enforcement action being taken by the ICO against the business (which, in serious cases, could include preventing you from processing any personal data).
Failure to comply with an enforcement notice is also a criminal offence and you could incur a fine of up to £5,000 in the Magistrates’ Court and an unlimited fine in the Crown Court. The Information Commissioner can impose a fine of up to £500,000 in the case of a serious breach of the data protection principles.
In addition, if your actions cause any damage or distress to a data subject, they could take court action against you and claim damages.
A person who (either alone, jointly, or in common with other individuals) decides how and why any personal information is to be processed. In the case of a business, this will be the sole trader, partnership or company which controls the information in question.
Data protection principles
The eight principles set out in the Data Protection Act 1998 regarding the handling of personal data that businesses have to comply with.
The living individual to whom personal data relates. For example, this might be someone employed by the business or a customer.
European Economic Area (EEA)
Countries in the area are: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, The Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
For the purposes of the Data Protection Act 1998, personal data means any information from which a living individual can be identified, and includes for example details such as names and addresses and dates of birth.
A privacy notice is usually included on application forms or customer order forms, because these are the documents on which the personal data is collected. They are used at the start of the transaction and the customer is usually required to sign them to indicate acceptance.
Processing personal data covers more or less anything you do with that information, for example obtaining it, recording it on your systems, storing it, using it, even deleting it. Carrying out any operation or set of operations on personal data constitutes processing for the purposes of the Data Protection Act 1998.
Sensitive personal data
Information about an individual which relates to their race or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, physical or mental health, trade union membership, sexual life or criminal activities.
A. You can only do this if you have a legitimate reason for doing so (for example, for staff training purposes) and provided you have complied with the first principle, by letting the data subject know what you are doing.
A. The fifth principle requires that personal data is not kept for longer than is necessary, and what is necessary depends on your specific circumstances. For this reason, your business will need a data retention policy to determine how long each type of data can be kept for, and to ensure that it is disposed of in a secure manner at the end of that period.
You can find guidance for businesses on deleting data on the ICO website.
A. The fair collection or privacy notice must set out what information you are collecting and how it is going to be processed, and must be given to the data subject before any processing of their data takes place. You can find guidance on drafting your notice on the ICO website.
Q. We have received information from a third party that does not match the personal data held by us. What should we do?
A. The fourth principle requires that you must keep your data accurate and up to date. If data has been wrongly recorded or is out of date then you should update it as soon as possible. If you receive data from another organisation which does not agree with the data you hold then you should attempt to contact the data subject to resolve which data is accurate, and then enter the correct data on your system. If the other company’s data is inaccurate then inform the data subject and, if they grant permission for you to do so, inform the third party also so that they may update their data.
Q. We want to use our customer database to identify demographic characteristics relating to our customers in order to target our advertising effectively. Can we do this?
A. You can use your customer database to run research, reports and analysis for which you have a genuine business need. In this example you have a genuine business need to target advertising effectively and so are acting within the requirements of the Data Protection Act.
Q. We want to transfer data abroad to a non-EEA member country and we have not been able to obtain consent from the data subject. How should we proceed?
A. If you are not exempt from the eighth principle because you have not been able to obtain consent from the data subject, and the transfer is not to an European Economic Area (EEA) member country, you will need to consider the following:
- if the data is being transferred to Andorra, Argentina, Australia, Canada, Guernsey, the Isle of Man, State of Israel (with certain limitations), Switzerland, the Faroe Islands (with certain limitations), New Zealand or Jersey, the transfer can go ahead because these countries are regarded as having adequate protection in place. A list of ‘adequate’ countries is published on the European Commission website;
- if you are transferring personal data to the United States, find out whether the organisation you are sending the data to has signed up to the US ‘Safe Harbor scheme‘, by checking the list on the website. If it has, the transfer can take place as the necessary protections are deemed to be present; and
- finally, if the country you are transferring to does not fall within any of the categories above, then you will have to carry out a risk assessment before carrying out the transfer. You will need to consider whether the country in question has adequate protections in place, bearing in mind the nature of the information being transferred, how the information will be used and for how long and the laws and practices of the country you are transferring to. It is recommended that you speak with your lawyer before making your decision to transfer the data in this situation.
A. The British Standards Institute (BSI) has launched its first British Standard on personal information management, BS 10012. It’s not compulsory for businesses to comply with the Standard, but it aims to assist organisations with data protection law compliance and provides a framework for the effective management of personal data. It gives guidance on issues such as training, risk assessment, and the retention, disposal and disclosure of data. You may find it useful in tackling data protection issues within your business. You can find the Standard on the BSI website.
Data Protection Act 1998
First data protection principle: fair and lawful processing
Data will be processed fairly as required by the first principle only if at least one of the following conditions is satisfied:
- The individual has consented to the processing.
- The processing is necessary to perform a contract with the individual, or for taking steps to comply with a request made by the individual with a view to entering into a contract (for example, to meet orders placed by the individual, to process a job application or to administer employee pensions or payroll).
- The processing is necessary to comply with a legal obligation of the data controller (other than a contractual obligation).
- The processing is necessary to protect the vital interests of the individual (for example, to protect the life of the data subject).
- The processing is necessary for the administration of justice, or for the exercise of any function conferred by statute.
- The processing is necessary for the legitimate interests of the data controller or a third party to whom the data is disclosed, except where it is unwarranted because it is prejudicial to the individual.
These criteria relate to the processing of all personal data. Where the controller processes sensitive personal data, additional criteria will also need to be complied with.
Provision of information
Compliance with the fair processing requirement also requires the provision of certain information to individuals before collection of their data takes place. The information must include:
- The name of the data controller.
- The purposes for which the data is intended to be processed.
- Any additional information which is necessary to ensure that the processing is fair in the circumstances.
There is no requirement for the information to be provided under the DPA to be given in writing, however it is advisable to do so.
Where the nature of the processing changes, further information will need to be provided to the data subject. Data controllers should therefore try to anticipate all of their processing activities in advance so as to avoid having to comply with this requirement for each new purpose or disclosure.
Companies who justify processing under the first principle through the consent route often seek to comply with the Act’s information requirements by incorporating the relevant information into their consent forms.
Although it is not mandatory in the UK to obtain the consent of data subjects before processing personal data, it is often the simplest way to justify processing as required under the first data protection principle.
Consent must be “unambiguous” and must be a freely given, specific and informed indication of the wishes of the individual by which agreement to processing is signified.
Since consent must be specific and informed, it is necessary to set out the purposes for which information is to be used where these are not obvious. In order to ensure that informed consent is obtained, the Commissioner has indicated that, in addition to the information which data controllers are required to provide pursuant to the Act, notices or privacy policies should also include the following information:
- An indication of the security measures implemented by the data controller regarding the data processing.
- Whether any of the intended recipients of the data are outside the EEA.
- An indication of the data controller’s policy on record retention (how long records are kept and any steps taken to ensure that records are accurate and kept up to date).
- An opt-out to the use of personal data for direct marketing purposes, or, where necessary, an opt-in.
- The data controller’s contact details.
Sensitive personal data: additional rules
Sensitive personal data includes data relating to race, political opinions, health, sexual life, religious and other similar beliefs, trade union membership and criminal records.
Sensitive personal data will only be processed fairly and lawfully as required by the first data protection principle if at least one of a number of additional conditions is satisfied, which include the following:
- The individual has given his explicit consent to the processing (this need not necessarily be in writing). The Commissioner has indicated that explicit consent requires the consent of the data subject to be absolutely clear and should, where appropriate, cover the detail and purposes of the processing, the type of data to be processed and any special aspects of the processing, such as disclosures of the data.
- The processing is necessary for the performance of the data controller’s obligations under employment law.
- The processing is necessary to protect the vital interests of the data subject (where consent cannot be given by the data subject or cannot reasonably be obtained by the data controller) or of another person (where consent by the data subject has been unreasonably withheld). The Commissioner has indicated that this condition is unlikely to be satisfied other than in a life or death situation.
- The processing is carried out by certain non-profit organisations.
- The processing relates to information deliberately made public by the data subject.
- The processing is necessary for the purpose of legal proceedings, obtaining legal advice, establishing or defending legal rights, or for the administration of justice or the exercise of functions of a public nature.
- The processing is carried out by a health professional and is necessary for medical purposes.
- The data relates to racial or ethnic origin and is processed in the context of equal opportunity monitoring.
Certain orders have been made under the Act which allow the processing of sensitive personal data in a number of other situations, including for the prevention or detection of crime.
For further advice on this subject, why not use your Complimentary Call?
Your business/organisation can make one complimentary call to the Riverview Law Legal Team. We’ve provided this facility so that you can experience the Riverview Law difference first-hand.
To use this call please ring the legal advice line on 0844 257 2226 and quote IS4PROFIT.
Riverview Solicitors will try and ensure that the content is accurate and up to date at the time it is published on the is4profit website, however no representation or warranty, express or implied, is made as to the articles accuracy or completeness after this date.