Complying with the Data Protection Act: 3 business bear-traps awaiting the unwary

data_protection.jpgVisit the website of the Information Commissioner’s Office, and there’s an interesting section entitled ‘Enforcement’. In it, the Commissioner details the various criminal prosecutions that the Office has undertaken in the last few months, together with the enforcement notices that it has issued, and the fines that it has levied.

A startling fact about many of these cases is that they involve very ordinary businesses. A leisure centre. A doctor’s surgery. A lettings agency. A ‘payday loan’ company. An estate agent. And so, and so on.

Another startling fact: despite these cases, a considerable number of businesses either don’t register with the Information Commissioner—thereby signalling their compliance with the Data Protection Act—or register inaccurately, or incompletely.

But even among businesses that have registered fully and accurately, bear-traps remain, catching out the unwary.

How come? Because businesses change and evolve, in short—and without those changes then being reflected in the business’s data protection compliance. Consider, for example, these three straightforward scenarios.

  1. Part of a business is being sold. A financial services company, for instance, is selling a division which provides independent financial advice. And as part of the transaction, the buyer is acquiring the division’s customer database. From a Data Protection Act compliance point of view, what are the obligations of the buyer—and the seller?
  2. A business is outsourcing overseas. To better serve its customers, a software firm is contemplating outsourcing its customer support and ‘helpdesk’ activity to a company based in India. This naturally, involves giving the Indian company its customer database. But from a Data Protection Act compliance point of view, is this legally possible?
  3. A company has built up an extensive customer database, and wants to allow third parties to use it for their own marketing purposes. From a Data Protection Act compliance point of view, what has to be done to avoid falling foul of the law? 

Three perfectly straightforward scenarios, in short. But equally, three data protection minefields, with plenty of opportunity for errors—errors of commission, as well as omission.

Simply put, in the heat of a transaction, it’s very easy to forget that there are data protection obligations to be fulfilled. And equally very easy to do something, but do the wrong something.

So what about the specifics of the three scenarios above? The law is quite clear. The Data Protection Act 1998 requires every ‘data controller’ processing personal information—be they a large organisation, or sole trader—to register with the Information Commissioner’s Office, unless they are exempt.

Once registered, they must then protect the data responsibly, guarding against security breaches, maintaining people’s privacy, and—for marketing purposes—complying with both the Data Protection Act and the Privacy and Electronic Communications Regulations. And—for the avoidance of doubt—protecting that data responsibly explicitly excludes sending personal data outside the European Union, unless a number of strictly-defined protocols have been met.

Get it wrong, and—well, that’s where the ‘Enforcement’ section of the Information Commissioner’s website comes in.

But in reality, there’s no need to get it wrong.

At The Legal Director, we specialise in providing clear-cut legal advice in business-friendly language. Providing it affordably, to suit a business’s own needs and workloads. And in a range of offerings stretching from a fixed-fee monthly retainer starting at £100 + VAT for telephone advice, to your own part-time legal director, working alongside your own board of directors.

To find out more, get in touch.

Posted Sunday, August 31st, 2014 by Warren Ryland



Other Articles In This Category