Complete our FREE GDPR Checklist today
The Data Protection Act 1998 defines how information about living people may be legally processed and handled. Businesses are required to comply with eight data protection principles and failure to do so may result in regulatory action by the Information Commissioners Office (ICO). The fundamental principles of data protection enshrined in the Act provide that personal data must:
- be processed fairly and lawfully;
- be obtained only for lawful purposes and not processed in any manner incompatible with those purposes;
- be adequate, relevant and not excessive;
- be accurate and where necessary, kept up to date;
- not be retained for longer than necessary;
- be processed in accordance with the rights and freedoms of data subjects under the Act;
- be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage; and
- not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory protects the rights and freedoms of data subjects.
If these principles are complied with, personal data may be processed for core business purposes (i.e. staff administration/business marketing activities) without the need to notify the Information Commissioner. If data is processed for other purposes, the Information Commissioner must be notified.
Subject Access Requests
It should also be noted that individuals have a right under the Act to obtain a copy of the information held about them. This is not limited to employees. If a business receives such a ‘subject access request’, a response must be given promptly and no later than 40 days and this covers all data, whether it is held electronically, in paper form or in any other form.
Review of Data Protection
SMEs should consider conducting a review of the personal data that they process. If sensitive personal data is processed, specialist advice may be needed and extra care taken where sensitive personal data (including details about race, political opinion, religious belief, trade union affiliation, physical or mental health, sexual life and the alleged commission of any offence) is concerned as conditions for processing such data are much more stringent than in relation to general personal data.
The ICO has developed an online self-assessment tool which can be used by small and medium-sized organisations (SMEs) to assess their compliance with the Data Protection Act and improve data handling procedures. The tool provides a rating of compliance with the Act based on responses to a questionnaire and includes links to relevant guidance and information.
New EU General Data Protection Regulation (GDPR)
In light of the foregoing and several recent high-profile ICO decisions and a heightened awareness of data protection by the general public, all businesses including SMEs need to have a proper understanding of their obligations under the Data Protection Act when handling personal data. Furthermore, with the forthcoming EU General Data Protection Regulation (GDPR), an even more stringent data protection regime, increased financial penalties and a wider definition of ‘personal data’, due to come into being in 2018, the need for small businesses to tighten up their data protection procedures has never been greater.
The GDPR is expected to become law in 2018 and whilst the UK may have voted to leave the EU, the regulation will affect all UK businesses due to the expanded territorial reach provided for in the Regulation. The GDPR applies to data controllers and processors outside the EU whose processing activities relate to the offering of goods or services to, or the monitoring the behaviour (within the EU) of, EU data subjects.
This means in practice that companies outside the EU targeting customers in the EU will be subject to the GDPR. As such, UK companies will be obliged to comply and in any event, it appears that the UK will still be within the EU in 2018 when the Regulation is due to come into force. Therefore, legal services for businesses going forward must necessarily include compliance with current data protection principles and with the new GDPR by 2018, in order to minimise the risk of finding themselves at odds with the new rules and open to hefty fines.