If your business processes personal data such as names, addresses, contact details, academic backgrounds and employment records of clients, employees or any other person, then you have a legal obligation to protect that data.
The Data Protection Act 1998 (DPA)
The Data Protection Act 1998 (DPA) governs this area of law and aims to protect the privacy of a person when their personal data is processed. Personal data means any information which relates to a living individual and from which that individual can be identified. It also includes expressions of opinion about the latter. So whether you are collecting, organising, using, disclosing, modifying, storing or deleting personal data, you have to act in accordance with the DPA.
DPA breaches are criminal offences. Further, the directors or other officers of a company in breach may also be personally liable. Sounds scary doesn’t it? Actually a common sense approach is all that is required. There are eight general DPA principles:
- Data must be lawfully processed
- Personal data must only be acquired for a specific purpose
- Only the essential personal data should be acquired
- Personal data should be accurate and up to date
- Personal data should not be stored for longer than necessary
- You must take the rights of data subjects into account
- You must protect against data loss, damage and destruction
- Personal data should not be transferred out of the European Economic Area, unless the destination country has similar protections
The Information Commissioners Office, an independent authority on information rights and data privacy, has produced a guide to data protection which is useful reading for business owners.
Step 1. Ensure That You Provide Data Protection Training To Staff
The BSI carried out a survey of 500 SMEs way back in 2009 which worryingly reported that 65% of SMEs did not have data protection training. This led to the launch of an online protection tool and a new British standard (BS10012) for data protection to help firms comply with the law (and it’s not cheap at £100 a pop!).
Step 2. Nominate A Data Protection Officer In Your Business
Who has responsibility for data protection? What about data controllers? Who knows about whether your data sharing practices conforms to the DPA?
Step 3. Keep Your Software Updated
Sony was fined 250k in 2013 after a hack of its PlayStation platform saw the personal data of millions of customers put at risk. Names, addresses, email, account passwords, payment card details and dates of birth were also comprised. The ICO investigation discovered that the attack could have been avoided if Sony had updated their software.
The out-of-date software meant that many passwords were not secure. Equally, Welcome Financial Services were fined £150k for losing more than half a million customers’ details where 2 backup tapes containing names, addresses and telephone numbers were lost and never recovered.
Step 4. Ensure That Your Marketing Strategy Is Lawful
Avoid unsolicited marketing calls and texts. The ICO noted in their latest report that marketing calls and texts was a major concern with over 160,000 reports last year. Bulk text messaging operations for PPI claims have incurred hefty fines of up to £440,000 and claims management, debt management and green energy deals organisations were also high up on the complaints list. The ICO prosecuted 9 organisations and their directors under the Data Protection Act for not registering with the ICO. There were also 7 prosecutions in relation to breaches of the Privacy and Electronic Communications Regulations.
Final Words: Data Protection And Preventing Breaches
Data protection should be a priority for business owners. Administrative costs of dealing with complaints and subsequent ICO investigations can be very high. Remember, it’s not just information stored on computers; it encompasses mobiles, laptops, iPods and USB drives, all of which can be stolen or lost.
The possibility of exposing confidential information or sensitive data is an area which is frequently overlooked but prevention is better than cure. Get some proper advice and check that your business has safeguards in place. After all, a fine of up to £500,000 for a serious breach of the DPA is no laughing matter.