As one of our most popular articles, this has been updated for 2017.
As a business owner, it’s likely that you deal with some personal information, and that means that you have to follow certain data protection rules.
This guide outlines the Data Protection Act 1998 as it currently stands (although watch out for changes following the GDPR deadline), and runs through the eight key principles.
The Data Protection Act 1998 is a piece of UK legislation that’s designed to protect the privacy of personal data. It sets out the obligations that organisations currently have if they handle personal information.
Although you may think that this only applies to larger companies, in fact most businesses hold some personal data – for example customer contact details, or HR information about staff.
If you do use or store personal information, and this information relates to someone that can be identified, you are referred to in the Act as a ‘data controller’.
At some point, every self-employed person should ask how the data protection act affects businesses. Whether it's relating to their staff or their customers, a Data Protection Act breach can have serious consequences for a small business owner.
Given how much personal and confidential information is stored, the Act is important to help avoid any potential financial, privacy, and reputational losses. However, for businesses, who could face Data Protection Act fines (and worse) should they not comply with legislation, the importance is even greater.
The Act affects the way businesses store, record, dispose of and use personal data, amongst other things.
As an employer, you'll have a number of unique responsibilities. Firstly, workers have a legal right to access information that their employer may hold on them.
Meanwhile, employers should also ensure that staff are compliant with data protection regulations in their day-to-day work, and have a duty to monitor the likes of telephone calls, emails, and CCTV where necessary.
Data controllers have a series of important responsibilities, and must abide by the eight data protection principles.
If your organisation deals with personal data, you must ensure that you consistently act in accordance with the eight key principles set out in the Data Protection Act.
This is among the most important requirements of the Act. In order to comply, you must provide individuals with the name of your business, and details of the purpose for which their information will be used. You should make it clear that the individual can access and correct the information that you hold about them.
Crucially, you must also tell them if the information will be used in any way that is not immediately obvious. For example, you must tell the individual if their details will be passed on to credit reference agencies.
You must have a specified, lawful reason for collecting data; you cannot simply collect it speculatively. Furthermore, you cannot use the data collected for another, “incompatible” or unlawful purpose.
You should only collect the bare minimum; you may not collect information that is not immediately relevant to the specified purpose, and you may not collect more information than you need.
Any information you hold must be factually accurate, and updated where necessary. Depending on the nature of your business, you may need to develop mechanisms that allow individuals to update their details quickly.
If the purpose for which you collected the data is time-limited, you must ensure that the data is not retained once it is no longer needed. Where applicable, you should tell individuals how long the data is likely to be retained for.
The Act sets out the rights of individuals, as well as the responsibilities of data controllers. You should make sure that you understand these rights, and act in accordance with them.
You must take adequate steps to ensure the security of the data. This means that it should be safe from tampering, loss, or unlawful processing. You may need to develop both technical and organisational processes to help you deal with this obligation.
Data may only be transferred out of the EEA if the country to which it is being transferred has adequate legal protection for individuals and their details.
As well as ensuring that you abide by the eight key principles, you may also be required to notify the Information Commissioner's Office (ICO) of your activities. The Act works on the basis that all data controllers are required to notify, but some exemptions are available. If you are not exempt but you fail to notify the ICO, you risk prosecution.
You may be exempt from the notification requirement if:
You can use the ICO's online checker tool to see if your business is exempt from registration.
If you do need to register, you can do this on the ICO website. Registration generally costs £35 per year.
If you don’t comply with the Data Protection Act, you could face serious penalties, including a fine of up to £500,000. If you are in doubt, seek advice from the Information Commissioner’s Office, or from an independent legal professional.
UK data laws are changing – are you ready for the General Data Protection Regulation (GDPR) May 2018 deadline?
Keep up to date with Simply Business. Subscribe to our monthly newsletter and follow us on social media.Subscribe to our newsletter
99 Gresham Street
29 St Katherine's Street
© Copyright 2019 Simply Business. All Rights Reserved. Simply Business is a trading name of Xbridge Limited which is authorised and regulated by the Financial Conduct Authority (Financial Services Registration No: 313348). Xbridge Limited (No: 3967717) has its registered office at 6th Floor, 99 Gresham Street, London, EC2V 7NG.