The Data Protection Act may be something that if you are a small business, you have overlooked and thought perhaps that it wasn’t necessary or didn’t apply to you.
The ICO (Information Commissioner’s Office) can fine small businesses up to £500,000 for breaches of the Data Protection Act, so now is the time to comply with the Data Protection Act.
For those of you who are not familiar with the Data Protection Act or its compliance requirements, there are certain responsibilities that you as a business owner need to uphold to avoid a hefty fine.
In the UK, the Information Commissioner is an authority that upholds and protects privacy of personal and sensitive data.
If your business holds any personal information about a living person you will need to comply. Some businesses will be required to register with the IC as a ‘data controller’.
What Sort Of Data Does This Apply To?
Virtually any personal, medical and financial records that your company or business keeps. This does depend on the type of business, but in example; if you are a retailer, either online or in store you will be given customer’s personal and financial data for every transaction. This information needs to be protected to safeguard in particular credit card details falling into the wrong hands. Any sensitive information within the medical sector, a patient’s medical history, medications etc. also needs to be handled with care and steps must be taken to protect the data. This doesn’t just apply to doctors; it can apply to opticians, dentists and even private ambulance services.
The government requires that small businesses are obligated to handle their information correctly. The act states that any data your business currently holds is:
- Accurate, current information and is periodically changed to keep up to date.
- Processed by means within the law. Relevant and not unnecessary information.
- Kept in a secure place where the customer’s privacy is protected.
- Not stored for periods longer than it needs to be.
- Is not moved to countries outside the EU without adequate protection.
Section 7 of the Data Protection Act also states that the individual has a right to see data stored about them and to correct any misinformation or incorrect data. This is known as a ‘subject access request’. If you receive a request, you are legally obligated to:
- Respond within 40 days.
- Provide the individual with a copy of the data plus a description of the data
- Inform them where the data came from.
- Provide information of other companies or people who could have had access to the information.
It is within your rights to charge a small fee of up to £10 to handle and process a subject access request, but this is down to the business owner’s discretion. You can also withhold information if a situation warrants it. The IO can provide guidelines and advice for small businesses on all aspects of data handling, it is important to get clarification before you do anything.
This guide to data protection has been provided by QT&C who offer information security training.