Data Protection: Is Your Organisation Compliant With The Current Law
Data protection is a complex area, and is in the process of fundamental change, due to the General Data Protection Regulation, issued by the European Union, which is due to come into force on 25 May 2018. Whether, and in what time-scales, Brexit becomes a reality, data protection is a very important part of your organisation administration, and steps should be taken to ensure compliance with the current law, and to prepare for the implementation of the new law.
The current law is largely governed by the Data Protection Act 1998. The Act regulates the use of ‘personal data’, and ‘sensitive personal data’. Data protection is an essential element of company administration. The law applies to all electronic processed, and some paper-based, personal data.
Most companies and organisations will process personal data regarding, for example, their staff, their customers and their suppliers. All of this information is subject to data protection law. A company will need to have a fair collection statement (also known as a privacy notice) issued to all persons from whom personal data is to be obtained.
There are eight data protection principles, namely:
- personal data shall be processed fairly and lawfully and, in particular shall not be processed unless:
- at least one of a set of conditions in Schedule 2 of the Act (www.legislation.gov.uk/ukpga/1998/29/schedule/2) is met;
- in the case of personal sensitive data, at least one of a further set of conditions, set out in Schedule 3 of the Act (www.legislation.gov.uk/ukpga/1998/29/schedule/3), is also met;
- personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
- personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- personal data processed shall be accurate and, where necessary, kept up to date;
- personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or for those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Act;
- appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data; and
- personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Under the new law most companies will be obliged to consider the employment of a qualified Data Protection Officer, who will be responsible for overall compliance. The new law will have many far-reaching consequences, and it will take time and effort on behalf of all organisations subject to the legislation to ensure that they are ready for the changes which are due to come into effect.
For more advice on data protection, go to www.ico.org.uk, which is the Information Commissioner’s Office’s (ICO) website, and who are responsible for the enforcement of data protection. Companies need to register themselves as ‘data controllers’, with the ICO, if they are processing personal data.
Here at Ordered, we can assist you in organising your information, so that it is compliant with data protection law. Please contact us if you have any queries.