Data Protection Act: How to comply with the law

It’s not just for tech businesses – almost every business in the UK is affected by data protection law. Learn how to comply here

Data Protection Act: How to comply with the law

What will happen if I break the law?

If data you hold is lost or stolen or you think you might be in breach of the Data Protection Act in some other way, you need to act quickly to rectify the situation. The ICO has wide-ranging powers and can issue extremely heavy penalties to those companies found to be in breach of the Act, including fines of up to £500,000 and prison sentences in some very serious cases.

This might seem quite excessive, and it is true that such heavy fines and harsh punishments are reserved for the more flagrant breaches of the law. The Northern Ireland Department of Justice recently received a large fine for selling a filing cabinet containing sensitive documents relating to a terrorist incident at an auction, which might help to give you an idea of how serious the breach has to be to warrant immediate punishment.

If it is your first breach of the Data Protection Act and the breach is inadvertent, the ICO are likely to just issue you with an ‘enforcement notice’. The body will contact you and ask you to take specific steps to comply with the law (usually just by stopping whatever it is you are doing).

If you are facing the difficult scenario of having personal data you hold lost or stolen, you should:

  • Have a policy in place to limit the damage done
  • Notify the people affected, especially if they are at risk of having bank accounts or other valuable information compromised
  • Get in touch with the ICO immediately to inform them of the situation


What happens if someone makes a subject access request?

The most important right people have under the Data Protection Act is known as a ‘subject access request’. This is where someone demands to see all the personal information you hold on them, and you generally have to give them this within 40 days.

So what happens if you receive one of these? You should go straight to the ICO’s online checklist for businesses, which contains a step-by-step guide to how you handle a subject access request. To cover the costs of doing so, you are allowed to charge people up to a maximum of £10.

In some situations, you don’t need to comply with a subject access request. The most important exception is where you hold confidential “management planning” information on someone, usually a member of your own staff.

This exception is intended to protect you in the day-to-day running of your own business. An example would be where you are planning a number of redundancies or promotions, and one of your employees makes a subject access request. In this situation, you don’t need to comply with the request, as they may find out about your plans and cause disruption in the workforce.

Other exceptions to the duty to comply with a subject access request include:

  • Employer’s references for former employees
  • Contract negotiations (for example, your negotiations with an employee over salary)


Can I send marketing emails to my customers I have details on?

Business owners often express confusion about this, but in reality the rules are quite simple. If you have collected the data lawfully for marketing purposes in the first place (for example, you have purchased a list of leads from a specialist company), or you have informed your customers that they may receive marketing emails from you before they consent to giving you their details, no issues should arise.

The same principles apply when giving customer details out to third parties or receiving them – just make sure the people whose information is being used have consented to their marketing information being given out to partners for advertising purposes.

Are there any changes to the law coming?

Data protection is a rapidly shifting area of the law, and it is about to undergo fundamental change with the European Commission’s proposal for a general Data Protection Regulation for businesses.

Unlike Directives, Regulations have direct effect in member states, meaning all UK businesses will come under its provisions when it is launched. It is currently going through the EU legislative process, and is expected to come into force in 2015 at the very earliest.

Nevertheless, you should understand the likely changes the new law is likely to bring in, and how you can start preparing for them now.

Some of the proposed changes include:

  • One single regulator.Currently, if you hold data in several different EU countries, you will have to deal with several disparate sets of laws and regulations affecting data protection in each one. The new law will change this, and make companies accountable to just one country’s data protection regulator for all its activity. Which country this is will likely depend on which country you make most of your major decisions with regard to data protection – so most UK businesses will continue to be regulated by the ICO when dealing with data abroad.
  • New rules on accountability. The new law is likely to have tougher requirements for companies which hold personal data, making them more accountable as to the way in which they use this information. This will mean establishing a culture of constantly monitoring and reviewing how you use personal data and making sure you go no further than necessary in your legitimate business aims. Some companies that use a large amount of data are already preparing for the changes by restricting their employees’ access to personal data, reserving access to more senior or specialist staff.
  • A duty to inform your regulator of breaches. The new law will impose a strict legal requirement to inform your regulator if there has been a breach of data protection law, and potentially the people whose data it is if the effect on privacy is serious enough. However, an exception has been proposed for the situation where the data lost has been rendered ‘unintelligible’ – in practice, this will mean scrambled or encrypted data.
  • Duty to seek consent in new situations. The Data Protection Act doesn’t currently require you to seek consent from people before you use their data in most circumstances, but this could be about to change with the new law. The regulations might impose a duty to seek consent if there is a “significant imbalance” in power between the organisation holding the data and the person to which it belongs (such as an employer/employee relationship).
  • The right to be forgotten. This controversial new principle allows people to legally demand the removal of certain information about themselves which is in the public domain, such as compromising photographs. It means that someone can compel you to delete information you hold on them, but only if there is “no legitimate reason” for you to be holding on to it. Of course, this would also mean you shouldn’t have had the data in the first place.

Useful contacts & further reading

1 2 3

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>