(Courtesy of Farley’s Solicitors)
Before the GDPR, there was the Data Protection Act 1998 (DPA). This remains the source of the current UK data protection regime. Although the DPA has been in force in the UK since 2000, full compliance by the nation’s organisations shouldn’t be assumed. There are numerous businesses whose policies and practices fall short of, if not fail entirely to reach, the standards required by the DPA.
If your organisation holds information about individuals, or processes that information in any way, you almost certainly have obligations under the DPA. If you’re one of the many who keep meaning to get round to reviewing their data protection practices, here are a few pointers to get you started…
1. Register yourself with the Information Commissioner (ICO) – it’s simple to do online and incurs a small fee.
2. Become familiar with the basic data protection principles. These are the foundations of the rules and include the requirement for personal data to be accurate and up to date, kept for no longer than is necessary, appropriately secured and used only for the purpose for which it was obtained. The ICO’s website is a great place to look for guidance.
3. As is often the case, compliance with this type of complex rule book is best achieved by having proper policies in place which are kept under review and properly notified to all in your organisation.
Two key areas for organisations are: the retention and use of customer and employee personal data, and using that information for direct marketing. Here are a few fines the ICO has handed out in the last year to demonstrate why proper policies are vital:
A historical society was fined when a laptop that contained sensitive personal data was stolen whilst a member of staff was working away from the office. The laptop wasn’t encrypted but contained details of individuals who had donated artefacts. The organisation had no policies or procedures around homeworking, encryption and mobile devices – a breach of data protection law.
A nursing home was fined £15,000 for breaking the law by not looking after the sensitive personal details of individuals in its care. Sensitive personal data includes medical records and is expected to be treated even more carefully than standard personal data.
A company sent more than 500,000 texts urging people to support its political campaign and was fined £50,000 as the messages were unsolicited and breached rules about sending unsolicited electronic direct marketing communications.
If nothing else, the variety of these organisations and the differences in the nature of their failures illustrates just how important it is to know the rules and to make sure your organisation has communicated them through clear policies to all those who may come into contact with personal data.