Data Protection Act: How to comply with the law
It’s not just for tech businesses – almost every business in the UK is affected by data protection law. Learn how to comply here
‘Data protection’ can be an intimidating phrase for a start-up or small business owner like you; for many, it conjures up images of blinking data banks, difficult-to-understand legislation and expensive litigation.
There is also a common misconception amongst business owners that the law only applies to large corporations, digital businesses, or companies that use customer information as a commodity, such as marketing firms.
This is not the case – the Data Protection Act applies to virtually every business, including sole traders. Any customer information you handle – including names, addresses, photographs, card details and phone numbers – will be subject to the law on data protection.
It is vital you understand the law, as failing to obey data protection regulations can lead to a fine of £500,000, or even a prison sentence in the most severe cases.
Data protection law contains a wide range of exceptions, requirements and duties, and can be difficult to understand. However, as a small business, obeying a few simple guidelines should mean you stay within the law.
Does data protection law apply to me?
Data protection in the UK is currently governed by a law called the Data Protection Act 1998, which contains all your obligations as a business. It is intended to regulate the use of “personal data” – that is, data that could be used to identify a specific living person, such as a phone number, address or photograph.
The Act is very wide-ranging, and is not limited to a specific kind of business, or even business in general; individuals can be subject to its provisions in certain circumstances. If you use other people’s personal data in any way as part of your business – anything from storing customer information for a loyalty card scheme to producing progress reports for a day nursery – you are likely to be covered by the Act.
Storing or processing data in certain ways will mean you are a ‘data controller’ under the law, and will have to abide by the rules set by the Information Commissioner’s Office (ICO), the body responsible for enforcing data protection in the UK.
However, the Act only applies to data stored on a computer. If you run one of the few businesses that still keeps records manually, you don’t need to worry about data protection.
Do I need to register with the ICO?
If you store or process customer data in certain ways, the ICO considers you a ‘data controller’, and you must join a publicly-searchable register in order to comply with the law.
Whilst you will need to register in many situations, there are a number of important exceptions to the requirement to register:
- You are storing information purely for day-to-day business activity, such as staff payroll
- You are using personal information for marketing, advertising or PR activity in connection with your own business (although you might need to obtain consent for this – see below)
- You are a charity or not-for-profit organisation and you are using the data in line with running this organisation
If you’re not sure whether you need to register, the ICO has prepared a five-minute Q&A on its website, which should easily clear up any confusion. It is important you find out whether you need to register as soon as possible, as failing to do so is a criminal offence.
If you do need to register, the ICO’s registration page can be found here. You can either download or return the form digitally, or print the PDF and return it manually.
When you have completed the form, save it as a document and attach it to an email with the heading ‘Data Protection New Registration’ and email it to firstname.lastname@example.org.
You will be asked for payment – for the majority of businesses this will just be an annual £35 charge. This increases to £500 a year if you are a large business (turnover of more than £25.9m and 249 members of staff or more).
The ICO is currently changing its online registration process to make it easier for companies to sign up, and there may be minor delays whilst this happens. However, it still shouldn’t take more than a week.
What happens when I have registered?
After you have registered your business as a data controller, it appears on a publicly-searchable database on the ICO website. People will be able to see the nature of your business, and what you will be doing with personal data you hold.
After you have registered with the ICO, you have to abide by a set of eight principles whenever you use or store personal data. These are outlined in the Data Protection Act, and we cover them in more detail below.
You may have never heard of these eight principles, and their requirements can seem daunting at first. However, once you understand that they are all essentially in place to stop you misusing data for unlawful, unauthorised or malicious purposes, they more or less speak for themselves.
Generally, as long as you abide by common sense and you are open with your customers about the data you are collecting and what you will be using it for, it’s rare that you will end up breaking the law.