Data Protection Act: How to comply with the law

It’s not just for tech businesses – almost every business in the UK is affected by data protection law. Learn how to comply here

Data Protection Act: How to comply with the law

How do I comply with the Data Protection Act?

To stay within the law, you should comply with a set of eight (really seven, as the first principle requires you to have regard to the other seven) principles when you store and use personal data.

The eight principles are intended to be self-explanatory, but we have included brief explanations to help you understand how they will work in practice.

In order to stay within the law once you’ve registered, you need to comply with the eight principles for the storage and use of data outlined in the Data Protection Act.

Below you will find the eight principles, with links to ICO guidance on each. Again, they are intended to be self-explanatory, but we have put together tips to make sure you understand and stay within each one where there are hidden nuances.


  • Data must be processed fairly and lawfully.

You should be clear with customers about what you are collecting, why you are collecting it, and what it will be used for. Most businesses comply with this provision by making customers agree to a ‘privacy notice’ when they collect data; you have probably come across one of these as a customer yourself.

When drafting one of these, use the ICO’s guidance to help you; this checklist has been produced with the specific needs of small businesses in mind.

This principle also means you need to meet one of the ‘conditions for processing’ when using personal data in any way. You can read the conditions here – generally, though, if you have a good reason for using the personal information, you needn’t worry about falling foul of the law. There are additional restrictions on the use of “sensitive” personal information, which can include information on someone’s religious beliefs or sexual orientation.

  • Data must only be obtained for specified and lawful purposes, and processed in a manner which is compatible with those purposes.You must be clear from the outset on what you are collecting the data for and how it will be used. If you put the information to use again, it should be related to the original purpose. For example, if you are an e-commerce business a list of customer addresses you use for delivery, you would be breaking the law if you sold on these addresses to a third party for marketing purposes.
  • Data must be adequate, relevant and not excessive in relation to the purpose for which it is processed.Essentially, this means only taking what you actually need, and no more.
  • Personal data shall be accurate, and where necessary, kept up-to-date. You should update or delete personal data where it is clear it has become inaccurate – for example, if a customer changes his or her address.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Remember to securely dispose of the information when you are done with it – make sure it is deleted permanently rather than simply moved to the Recycle Bin.
  • Personal data shall be processed in accordance with the rights of data subjects under this Act. Your customers have a right to ask for a complete copy of the information held on them, under what is known as a ‘subject access request’. Customers also have the right to stop your business doing anything that might cause them damage or distress, a right to stop you using their information for marketing purposes, and a right to claim compensation if they are affected by your breach of the Data Protection Act.
  • Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of or damage to personal data. Essentially, you need to take steps to ensure the personal information you hold is secure and won’t get lost or fall into the wrong hands. The law says you need to have “appropriate” security, reflecting the nature of the information and the harm that might result from it being used improperly. So credit card details should have multiple layers of encryption and protection, but such drastic measures probably won’t be needed for the details of a customer’s shoe size.Don’t forget that the security software you use is only part of the picture; you also need to make sure your employees are properly trained in data protection. Only allow employees access if you really need them to handle the personal data in some way.
  • Personal data shall not be transferred to a country or territory outside the EEA (European Economic Area) unless that country or territory ensures an adequate level of protection. Perhaps the most important provision – whilst external hosting and cloud-based storage tools are convenient for you, you shouldn’t store personal data on them unless the servers are physically located in one of the European Commission’s 11 non-EEA countries which are deemed to have an “adequate” level of protection. Even the USA is not considered to have an adequate level of data protection, although sending data to specific companies operating under the voluntary ‘Safe Harbour’ arrangement is allowed.


1 2 3

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>