As one of our most popular articles, this has been updated for 2017.
As a business owner, it’s likely that you deal with some personal information, and that means that you have to follow certain data protection rules.
This guide outlines the Data Protection Act 1998 as it currently stands (although watch out for changes following the GDPR deadline), and runs through the eight key principles.
- What is GDPR for small business?
- Consumer Protection Act: summary guide for small businesses
- Going self-employed in the UK: a guide to get started
- What is business insurance?
Summary of the Data Protection Act 1998
The Data Protection Act 1998 is a piece of UK legislation that’s designed to protect the privacy of personal data. It sets out the obligations that organisations currently have if they handle personal information.
Although you may think that this only applies to larger companies, in fact most businesses hold some personal data – for example customer contact details, or HR information about staff.
If you do use or store personal information, and this information relates to someone that can be identified, you are referred to in the Act as a ‘data controller’.
Why is the Data Protection Act important for businesses and how does it affect them?
At some point, every self-employed person should ask how the data protection act affects businesses. Whether it’s relating to their staff or their customers, a Data Protection Act breach can have serious consequences for a small business owner.
Given how much personal and confidential information is stored, the Act is important to help avoid any potential financial, privacy, and reputational losses. However, for businesses, who could face Data Protection Act fines (and worse) should they not comply with legislation, the importance is even greater.
The Act affects the way businesses store, record, dispose of and use personal data, amongst other things.
The Data Protection Act and employers’ responsibilities
As an employer, you’ll have a number of unique responsibilities. Firstly, workers have a legal right to access information that their employer may hold on them.
Meanwhile, employers should also ensure that staff are compliant with data protection regulations in their day-to-day work, and have a duty to monitor the likes of telephone calls, emails, and CCTV where necessary.
Data controllers have a series of important responsibilities, and must abide by the eight data protection principles.
The Data Protection Act’s 8 key principles
If your organisation deals with personal data, you must ensure that you consistently act in accordance with the eight key principles set out in the Data Protection Act.
1. Personal data must be processed fairly and lawfully
This is among the most important requirements of the Act. In order to comply, you must provide individuals with the name of your business, and details of the purpose for which their information will be used. You should make it clear that the individual can access and correct the information that you hold about them.
Crucially, you must also tell them if the information will be used in any way that is not immediately obvious. For example, you must tell the individual if their details will be passed on to credit reference agencies.
2. Personal data must be processed for specified lawful purposes
You must have a specified, lawful reason for collecting data; you cannot simply collect it speculatively. Furthermore, you cannot use the data collected for another, “incompatible” or unlawful purpose.
3. Personal data must be adequate, relevant and not excessive
You should only collect the bare minimum; you may not collect information that is not immediately relevant to the specified purpose, and you may not collect more information than you need.
4. Personal data must be accurate and up to date
Any information you hold must be factually accurate, and updated where necessary. Depending on the nature of your business, you may need to develop mechanisms that allow individuals to update their details quickly.
5. Personal data must not be kept for any longer than is necessary
If the purpose for which you collected the data is time-limited, you must ensure that the data is not retained once it is no longer needed. Where applicable, you should tell individuals how long the data is likely to be retained for.
6. Personal data must be processed in accordance with the rights of individuals
The Act sets out the rights of individuals, as well as the responsibilities of data controllers. You should make sure that you understand these rights, and act in accordance with them.
7. Personal data must be kept secure
You must take adequate steps to ensure the security of the data. This means that it should be safe from tampering, loss, or unlawful processing. You may need to develop both technical and organisational processes to help you deal with this obligation.
8. Personal data must not be transferred outside the European Economic Area without adequate protection
Data may only be transferred out of the EEA if the country to which it is being transferred has adequate legal protection for individuals and their details.
Does your business need to register with the ICO?
As well as ensuring that you abide by the eight key principles, you may also be required to notify the Information Commissioner’s Office (ICO) of your activities. The Act works on the basis that all data controllers are required to notify, but some exemptions are available. If you are not exempt but you fail to notify the ICO, you risk prosecution.
You may be exempt from the notification requirement if:
- you only process data for the purposes of: staff administration; payroll; advertising, marketing and PR that are directly related to your own business activities; or accounts and record-keeping
- yours is a not-for-profit organisation
- data is only being processed for personal, family, or household affairs
- you only process data in order to maintain a public register
- or if no automated system, like a computer, is used in the processing of data
You can use the ICO’s online checker tool to see if your business is exempt from registration.
If you do need to register, you can do this on the ICO website. Registration generally costs £35 per year.
If you don’t comply with the Data Protection Act, you could face serious penalties, including a fine of up to £500,000. If you are in doubt, seek advice from the Information Commissioner’s Office, or from an independent legal professional.
UK data laws are changing – are you ready for the General Data Protection Regulation (GDPR) May 2018 deadline?