The Data Protection Act explained
The Data Protection Act: A guide for small business owners
As a small business you are likely to hold information on customers, employees, suppliers, clients or other members of the public. If you hold this kind of information (whether it’s on paper, in data files, or on a website) the Data Protection Act 1998 applies to you.
There are a lot of misconceptions about the Data Protection Act and it is often used wrongly to excuse or avoid certain actions. This article provides an overview of the Act to help you better understand the Act and your legal obligations under it. We also give you information here on who needs to register with the Information Commissioner as a Data Controller, and how to register.
Your obligations under the Data Protection Act
If you hold personal information of any kind about a living person you must comply with the Data Protection Act, whether you need to register with the Information Commissioner or not. As a small business there are two main obligations you need to be aware of:
The eight principles of good information handling
The Act specifies that any data you hold must be:
- fairly and lawfully processed
- processed for specific purposes
- adequate, relevant and not excessive
- accurate and kept up to date
- not kept for longer than is necessary
- processed in line with the rights of the individual
- kept secure
- not transferred to countries outside the European Economic Area unless there is adequate protection for the information
The Information Commissioner can take out enforcement action to ensure your information processing is in line with these principles so you should ensure your internal procedures accommodate these data handling requirements, and you must make sure that any staff you employ are also aware of the Data Protection Act requirements.
Individuals’ rights under the Data Protection Act
Sections 7, 8 and 9 of the Data Protection Act deal with a person’s rights to see the personal data that is held on them, and the right to have it corrected if it is wrong. You may be sent a ‘subject access request’ which is a request to show an individual what personal data you hold on them. If you do receive a subject access request you are obliged to:
- respond to it within 40 days
- provide a copy and a description of the data you hold on them
- advise who the source of the data was
- give information on how the data is processed
- give information on which other people or organisations it may have been disclosed to
You can charge a fee of up to £10 for handling a subject access request if you choose to do so. Under certain circumstances you can withhold information. For clarification on what you should or should not provide phone the Information Commissioner's helpline on 01625 545745 for advice.
How the Data Protection Act benefits your business
Although there is a legal obligation on your small business to comply with the Data Protection Act, there are also business benefits to be gained, for example:
- Using only up to date data for sending mailshots makes sense as using old data is a waste of time and money and would be a source of irritation to potential customers.
- Deleting out of date information will free up storage space so you won’t have to keep buying more.
- Keeping information secure protects you from damage to your business or possible legal consequence if your data should fall into the wrong hands.
Registering with the Information Commissioner
The Data Protection Act 1998 requires every data controller who is processing personal data to 'notify', unless they are exempt. Notification is for one year so you will need to make a note of the date you first registered and remember to renew annually. The annual fee is currently £35.
Failure to notify is a criminal offence. See the Information Commissioner’s notification web page for more information, or call the notification help line on 01625 545740.
You may be exempt if you only process personal information for core business purposes such as your own marketing, staff administration, or invoicing. The Information Commissioner’s website provides an online self-assessment or a downloadable self-assessment guide to help you determine whether notification is required.
More information about the Data Protection Act
Full details of the Data Protection Act and the Information Commissioner’s role can be found on the Information Commissioner’s website
Data Protection Good Practice Notes from the Information Commissioner's office:
A quick 'how to comply' checklist (opens a pdf file)
Data protection training checklist for small and medium sized organisations (opens a pdf file)
Checklist for handling requests for personal information (subject access requests) (opens a pdf file)
NEW: June 2009 BSI has published a new standard for SMEs and small businesses giving a framework for managing and protecting data. More information on the new Data Protection from BSI
The Data Protection Act explained
The Data Protection Act: A guide for small business owners
As a small business you are likely to hold information on customers, employees, suppliers, clients or other members of the public. If you hold this kind of information (whether it’s on paper, in data files, or on a website) the Data Protection Act 1998 applies to you.
There are a lot of misconceptions about the Data Protection Act and it is often used wrongly to excuse or avoid certain actions. This article provides an overview of the Act to help you better understand the Act and your legal obligations under it. We also give you information here on who needs to register with the Information Commissioner as a Data Controller, and how to register.
Your obligations under the Data Protection Act
If you hold personal information of any kind about a living person you must comply with the Data Protection Act, whether you need to register with the Information Commissioner or not. As a small business there are two main obligations you need to be aware of:
The eight principles of good information handling
The Act specifies that any data you hold must be:
- fairly and lawfully processed
- processed for specific purposes
- adequate, relevant and not excessive
- accurate and kept up to date
- not kept for longer than is necessary
- processed in line with the rights of the individual
- kept secure
- not transferred to countries outside the European Economic Area unless there is adequate protection for the information
The Information Commissioner can take out enforcement action to ensure your information processing is in line with these principles so you should ensure your internal procedures accommodate these data handling requirements, and you must make sure that any staff you employ are also aware of the Data Protection Act requirements.
Individuals’ rights under the Data Protection Act
Sections 7, 8 and 9 of the Data Protection Act deal with a person’s rights to see the personal data that is held on them, and the right to have it corrected if it is wrong. You may be sent a ‘subject access request’ which is a request to show an individual what personal data you hold on them. If you do receive a subject access request you are obliged to:
- respond to it within 40 days
- provide a copy and a description of the data you hold on them
- advise who the source of the data was
- give information on how the data is processed
- give information on which other people or organisations it may have been disclosed to
You can charge a fee of up to £10 for handling a subject access request if you choose to do so. Under certain circumstances you can withhold information. For clarification on what you should or should not provide phone the Information Commissioner's helpline on 01625 545745 for advice.
How the Data Protection Act benefits your business
Although there is a legal obligation on your small business to comply with the Data Protection Act, there are also business benefits to be gained, for example:
- Using only up to date data for sending mailshots makes sense as using old data is a waste of time and money and would be a source of irritation to potential customers.
- Deleting out of date information will free up storage space so you won’t have to keep buying more.
- Keeping information secure protects you from damage to your business or possible legal consequence if your data should fall into the wrong hands.
Registering with the Information Commissioner
The Data Protection Act 1998 requires every data controller who is processing personal data to 'notify', unless they are exempt. Notification is for one year so you will need to make a note of the date you first registered and remember to renew annually. The annual fee is currently £35.
Failure to notify is a criminal offence. See the Information Commissioner’s notification web page for more information, or call the notification help line on 01625 545740.
You may be exempt if you only process personal information for core business purposes such as your own marketing, staff administration, or invoicing. The Information Commissioner’s website provides an online self-assessment or a downloadable self-assessment guide to help you determine whether notification is required.
More information about the Data Protection Act
Full details of the Data Protection Act and the Information Commissioner’s role can be found on the Information Commissioner’s website
Data Protection Good Practice Notes from the Information Commissioner's office:
A quick 'how to comply' checklist (opens a pdf file)
Data protection training checklist for small and medium sized organisations (opens a pdf file)
Checklist for handling requests for personal information (subject access requests) (opens a pdf file)
NEW: June 2009 BSI has published a new standard for SMEs and small businesses giving a framework for managing and protecting data. More information on the new Data Protection from BSI