Keeping your data secure
After a series of catastrophic errors by big businesses and the
government, data protection issues have been thrown into sharp
relief. As criminals become more savvy to how they can use data and
the public becomes more alert to the threats identity theft and
careless handling of data pose, it's become increasingly important
for businesses to ensure their approach to data protection is as
scrupulous as possible.
The Data Protection Act
- The Data Protection Act came into force in 1998 and provides
businesses and public bodies with a series of regulations governing
how they handle people's personal information. If you
store any personal data on customers or employees, the Data
Protection Act applies to you.
- The information the Data Protection Act covers can be described
as any information about living, identified or
identifiable individuals. It includes names,
addresses, email addresses, dates of birth, bank details and
opinions expressed about an individual.
- The Data Protection Act is split into eight principles, which
require that you:
- Process data fairly and according to the law
- Process data for a limited, lawful purpose
- Only hold enough information for your purpose - nothing
excessive or extraneous
- Ensure the data you hold is accurate, relevant and
- Don't hold the data for any longer than necessary
- Process the data in line with individuals' rights (below)
- Ensure the data is kept physically secure
- Don't transfer the data outside the European Economic Area
unless it is adequately protected.
- You need to be aware of the rights the Data
Protection Act grants individuals. These
- The right of subject access, which allows individuals to see
the data you hold on them
- The right to prevent direct marketing, which means individuals
can opt out of being targeted with direct marketing, either online
or by phone or mail. Once an individual has put their request in
writing, you have up to 28 days to stop.
- The right to have personal information corrected
- The right to prevent automated decisions, which prevents you
from making decisions on an individual using an automated process
or algorithm. For example, it would be against the law to employ
someone based purely on the results of a psychometric test.
- In some cases, you may be required to notify the
Information Commissioner's Office (ICO) that you are
holding data. The ICO allows people to find out what information
organisations are holding on them and what the information is being
used for. If you use individuals' information for any purpose other
than staff administration (payroll, etc), marketing or PR for your
own business (rather than selling the information to a third
party), or accounts and records, you will be required to notify the
ICO. If you're at all uncertain, it's best to contact the ICO using
the contact details below.
Keeping your data secure
- Losing data will put your business at
risk, so make sure you follow best practice at all
times. If you have any doubts over how you are handling your data,
contact the information commissioner's office or visit its
- Carry out a risk assessment to identify physical
risks to your data. Could it be affected by power
cuts, theft or fire? Make a plan which details how you will take
action if your data is affected by any of these threats.
- Make a list of who has access to sensitive
data and who is responsible for inputting it, so you
can identify who you need to train and who is at fault if something
does happen to your data. Make sure these people are aware of the
Data Protection Act and know how to handle data correctly.
- It might seem obvious, but run regular virus
scans to minimise the risks computer viruses pose. A
recent report indicated more than three quarters if business
computers are affected by viruses - and if your computer is hit by
a bad one, the result could be catastrophic.
- Implement an IT security policy to
make clear to your staff exactly how they should be handling data.
This should include rules on how to handle customer and business
information, limitations on the amount of access your employees
have to data, and an acceptable use policy for the internet and
- As well as the increased threat of getting a virus,
misuse of the internet could have a damaging effect on
your business in other ways - including exposing your
business to an increased risk of legal action, a loss of
productivity, and damage to your reputation if one of your
employees sends a badly-worded email. Be vigilant on this point and
remind your employees personal emails are representing the company
as well as the individual.
- Create a data backup routine to make
sure your business isn't affected if something happens to your
servers. This should take place at least once a week, but ideally
- The Data Protection Act sets out eight principles for the safe
and legal handling of data
- You might be required to notify the information commissioner
(ICO) to comply with the Act
- Carry out a risk assessment to identify physical risks to your
- Make a list of employees who have access to sensitive data
- Run regular virus scans to keep your IT systems protected
- Implement an IT security policy
- Create a data backup routine
How do I know with the Data Protection Act applies
The Act applies to every organisation which holds data and uses it
commercially - whether that's for mailouts or just a database of
How do I notify the ICO?
To notify the ICO, go to their website and download the
notification from. You need to send it to The Information
Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF. You can also request a form over the phone by
calling 01625 545740. There is a charge of £35 for
What do I do if the police want to use our
There is an exemption under the Data Protection Act which means
the police can use your data if it's going to help them prevent or
detect a crime or prosecute someone - but they need to demonstrate
that it will harm their case if you don't release it.
Smarta Business Builder
To help you on your business journey, we've created Smarta Business Builder, the complete online
tools package for growing your business. Website
Documents and Email - all in one place
- from just £20 per month with no contract! Try it out today.