The Data Protection Act 1998 - Do You Know How To Stay Legal?
While most businesses recognise the importance of the Act and the potential ramifications should it not be adhered to, the complexity of the Act’s obligations can sometimes make keeping on the right side of the law a real puzzle. Follow These Key Principles To Unlock The Answers:
1. Data must be fairly and lawfully processed
If you intend to process a person’s data, you must not only have a legitimate reason to do so, but that individual must be aware of the exact use you are going to make of their data. Only then can it be considered fair and lawful.
Explain clearly and coherently to them exactly how you plan to process their data, so that they can make an informed decision, decreasing the possibility of subsequent legal difficulties.
2. Data must be processed for limited purposes
Don’t veer off tangent with your marketing campaigns! When a customer ticks a box and agrees to have their data processed, you can’t then use that data for uses that they haven’t signed up for.
A business seeking to use personal data for a purpose that may be considered other than that originally agreed must obtain additional consent from the individual and must inform the Information Commissioners Office (ICO).
3. Data must be adequate, relevant and not excessive
The Act states that “personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
While these terms are not specifically defined by the Act, it’s important that you are clear about why you’re processing the data and that you don’t stockpile excess data that you don’t actually need. To be compliant, don’t hold data on the ‘off-chance’ of it having future usefulness. Always hold only the minimum amount of data needed to fulfil the stated purpose.
4. Data must be accurate and up to date
For data to be accurate, it ‘must not be incorrect or misleading as to any matter of fact.’ Also, if such data is determined to have become inaccurate subsequent to being obtained, it must be amended or deleted as a matter of urgency.
The Act makes due allowance for the impracticalities that can arise for businesses that hold vast amounts of customer data, but in order to comply properly, you must take reasonable steps to ensure its accuracy.
Accurately record the information as it was provided to you. Remember – the greater the potential impact that the data may have for your business; the more imperative it is for you to keep it up to date. Keeping your data accurate is always in your best interests for improved marketing.
5. Data must not be kept for longer than is necessary
The Act doesn’t suggest a specific duration for retaining data, simply stating that it shouldn’t be kept for longer than is necessary for the intended purpose(s). In common with other principles, being clear on those purposes can help you to define an appropriate retention period.
When seeking to devise a retention strategy, bear in mind relevant factors such as:
- The purpose for which the data is being processed
- The generally agreed policy within your industry
- The frequency of your dealings with the data subject or source
6. Data must be processed in line with the data subject’s rights
According to the Act, personal data must be processed in line with the individual’s rights.
It’s imperative that your business is able to deal with requests, known as Data Subject Access Requests (DSARs), and that you’re able to identify, locate and supply a copy of an individual’s data in that event, within a maximum timeframe of 40 calendar days. Also, if an individual asks you to stop marketing to them, you must be able to comply with this request.
7. Data must be secure
The data controller of your business must take ‘appropriate technical and organisational measures to protect personal data from being compromised’ and – as is the case when adhering to many of these principles – preparation is key.
Train employees involved in the data process on information security. Appoint a designated individual within your organisation to take responsibility for information security, and ensure that your business has a breach management plan in place, just in case a security breach occurs.
8. Data must not be transferred to other countries without adequate protection
The Act compels businesses to ensure that personal data isn’t transferred to a country or territory outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
For businesses, the most important element in adhering to this principle is to ensure that a contract is in place between yourself and the person/organisation receiving the data, ensuring its protection. In addition, make sure you have the consent from the data subject to send such data overseas.