Data Protection

Don't get caught out, make sure you're compliant


What is the Data Protection Act, and how does it affect my business?

The Data Protection Act (DPA) governs the holding and processing of personal data.

‘Personal data’ means information which identifies any living individual or can, with other information held by you, identify any individual.

‘Processing’ of personal data means obtaining, recording or holding the information.

As a business, you will be handling the personal information of your employees, suppliers and/or customers: it is therefore likely that your activities will be caught by the provisions of the DPA. If you are a ‘data controller’ under the Act and fail to notify your organisation to the Information Commissioner, your directors may be criminally liable for failing to do so.

A ‘data controller’ is a person or entity that determines the purposes for which personal data is processed. Under the DPA, personal data must be:

  • Fairly and lawfully processed;
  • Processed for specified purposes;
  • Adequate, relevant and not excessive;
  • Accurate and, where necessary, kept up to date;
  • Not kept for longer than is necessary;
  • Processed in line with the rights of the individual;
  • Kept secure
  • Not transferred to countries outside the EEA unless the information is adequately protected.

Non-compliance can result in an enforcement notice preventing your business from processing data, effectively preventing many businesses from operating, together with significant fines. Furthermore, the officers of your company, the managers and directors, can be held personally criminally liable for non-compliance.

You should establish a data protection policy immediately in your business to ensure your legal obligations are met.

The policy should take into account the particular personal data needs of the business as well as the way it processes this information. The policy and implementation should also address areas where personal and sensitive data might inadvertently leak in contravention of your obligation under the law.


Why are businesses complying with the DPA

Quite simply because you have to. It is a criminal offense not too. All organisations in the UK must comply with the Data Protection Act 1998 (DPA), and face stiff penalties if they breach it. If your organisation handles personal data, then it is a legal requirement. You must be registered with the ICO as a data controller failure to do so is a criminal offense. This binds you to adhere to the eight principles of the DPA.

Eight principles of the UK Data Protection Act

The DPA applies to all organisations within the UK that hold or process any personal data. Though by no means the whole of the act, Thsi schedule 1 sets out eight principles with which organisations must comply.

This ensures that personal data:

    • is treated fairly and lawfully
    • is obtained and processed only for specific and specified purposes
    • is adequate, relevant and not excessive
    • is accurate and up to date
    • is not retained for longer than necessary
    • is processed in accordance with the individual’s rights
    • is held with appropriate levels of security
    • is not transferred abroad without ensuring adequate levels of legal protection

Organisations that are found to be in breach of the DPA can be fined up to £500,000 by the Information Commissioner's Office (ICO).


How Minatio can help you become DPA compliant

Minatio services include

  • Gap Analysis
  • Assistance to notify with the information commissioner (a legal requirement)
  • Help achieving the creation of a BS 10012 compliant Personal Information Management System
  • Help achieving ISO27001 compliance and improvements to information security
  • In-house employee training

DPA Compliance Gap Analysis

Minatio has a comprehensive DPA consult process and audit which can help you assess your current level of compliance with the DPA.

Our experienced consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to DPA compliance. By examining procedures such as direct marketing practices, fair processing notices, retention and deletion procedures and data processing our consultants can isolate any gaps, and then create and implement a remediation plan which will enable you to bring your business into full compliance with the DPA, and also ensure you keep yourself compliant in the future.

Our service will tell you what you need to know thoroughly and effectively. And help you implement any remediation measures.

The best way of being continually assured that the organisation is in compliance. Is the BS 10012 Standard. This specifies the requirements for a Personal Information Management System (PIMS).

BS 10012:2009 sets out a framework for establishing policies, procedures, training, audits, management meetings and measurements which focus on data protection.

This ensures that compliance measures are planned and undertaken enabling continual improvement in this area on an ongoing basis, allowing the management team to have greater overall organisational awareness.

Establishing a Personal Information Management System as part of your overall business management system will ensure that data protection management is placed within a robust framework which will be looked upon favorably by the regulators.

If you chose to opt for implementing BS 10012:2009 Minatio can fully guide you through this implementation from instigation to completion.

Information Security and continuity

Principle 7 of the DPA ensures that personal data is held with ‘appropriate technical and organisational security’ and is protected against ‘unauthorised disclosure, loss or damage’.

To ensure this, it is critical that you have appropriate information security and business continuity measures in place. This can involve certification to international and national standards such as ISO27001, which prove to stakeholders that you have the correct approach in these areas, as certified by the Information Commissioner.

To implement ISO 27001 please see our ISO 27001 information. We would always strongly recommend this approach.