Data protection and your business

15 Apr 2015

Data Protection is a fast-developing area of law that concerns every business whatever its size and whatever it does. Any business that ignores its responsibilities and obligations under the law risks a fine of up to £500,000.

These days, virtually all businesses collect and hold vast quantities of personal information about their customers, employees and other individuals that they have dealings with, such as suppliers and professional advisors. This information may be held in paper and/or electronic form.

The widespread use of information technology, the internet and the proliferation of portable digital media, such as laptops, tablets, and smart phones enables information to be collected, used and disseminated on an unprecedented scale and provides many opportunities for data to be misused, damaged, destroyed prematurely or stolen.

With the rise in data so too has come the rise in litigation about the use/misuse of data: the number of privacy cases fought in UK courts has doubled in the last five years. This is a reflection of the fact that people increasingly want to know how information about them is being used, who has access to it, and what that means for them, especially when it comes to their sensitive data.

Although data protection law is aimed at protecting individuals, the ramifications of this will impact on any business and sometimes restrict what it can do with its ‘own’ assets, e.g. selling its database.

The Information Commissioner’s Office, (the regulator of the Data Protection Act) has stated:

"When a database is sold, the seller must make sure that the buyer understands that they can only use the information for the purposes for which it was collected. Any use of this personal information should be within the reasonable expectations of the individuals concerned. So, when a database is sold, its use should stay the same or similar. For example, if the database contains information obtained for insurance, the database should only be sold to another insurance-based business providing similar insurance products. Selling it to a business for a different use is likely to be incompatible with the original purpose and likely to go beyond the expectations of the individuals."

The keywords here are "reasonable expectations of the individuals concerned." Such expectations are strongly linked to what the seller's privacy policy says. If it says something like;

"We would like to reassure you that your personal details are safe with us and will never be released to companies outside our Group for their marketing purposes," then any proposed sale of that database could result in a breach of the law.

In order to have a comprehensive and effective approach to data protection every business should be clear about its legal obligations and take steps to ensure that its staff understand both the organisation's responsibilities and their own.

As it is clear from above, security in the context of  the DPA is about more than hardware and software and the way information is stored or transmitted. Management and organisational security measures are equally important.

In practice this means businesses will need to:

-Be clear about who in the organisation is responsible for ensuring information security
-Create robust policies and procedures
-Have reliable, well-trained staff and
-Be ready to response to any breach of security swifty and effectively.

If you need help with any issue mentioned in this article, please contact Robert Wassall.