Data protection law isn't the easiest of things to get to grips with but hopefully the following thoughts will help. It covers personal data – basically data from which a person can be identified. It applies mainly to processing data on computers and other devices but covers also manual filing systems that allow data about an individual to be easily accessed.
A penalty of up to £500k for serious breach can be imposed and reputational damage can be significant if your company features in the press as being careless with people's data, so it is worth taking seriously.
Tell those whose data you collect what you will do with it and don't do things with their data you haven't told them you will do. That should keep you out of trouble in most cases. If you get involved with sensitive data (for example, relating to health or race), take extra care as the rules are much tighter.
Notify the Information Commissioner what data you collect and what you do with it and keep your notification up to date as the type of data you collect and what you do with it changes. The notification is renewable annually. It's an offence not to do these things.
Train staff dealing in personal data what they can and can't do with the data you have collected.
Delete data that is no longer needed for the purpose for which it was collected.
Check your insurance cover. Does it cover data breach? If someone hacks into your systems and steals customers' credit card details for example, that could be costly. Also have a suitable professional check if you are suitably protected from cyber-attack.
If you pass data you have collected to others to process you are liable for what they do or don't with the data, so have a contract with them and undertake due diligence on their suitability.
Don't transfer data outside the EU unless you have the person's consent or you comply with one of the other requirements, such as having suitable contractual wording in your contract with the company outside the EU that will be receiving the data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
