The vast majority of business organisations collect and process personal information in the course of business, whether in relation to their employees, or their customers, clients and suppliers. The data protection legislation exists to control how this data is used, ensuring it is used lawfully and fairly.
Therefore, there are various important requirements that businesses should be aware of in relation to the data they collect and hold. In particular, businesses need to understand:
- That the relevant legislation is complied with;
- The privacy and data protection issues in relation to direct marketing;
- The notification requirements.
The use of personal information collected by businesses in the UK is, for now, governed by the Data Protection Act 1998 (DPA). If your business requires you to store people’s personal details, such as employee records and customer/client details, you must comply with the DPA.
However, in 2018 the EU’s General Data Protection Regulation (GDPR) will come into force, bringing in stricter and more extensive regulations.
The Data Protection Principles
The DPA sets out eight data protection principles, the key principle being to process information fairly and lawfully, and in a transparent manner. This requires that you tell individuals what you will use their information for, and ensure your use of the personal information does not break any other laws. Data must be obtained for specified and lawful purposes, and it must be adequate, relevant and not excessive for the purpose for which it was obtained.
What do I need to tell individuals?
When you obtain personal information in the course of business, the DPA requires you to tell individuals:
- The name of your business or organisation;
- What you will use the information for (you cannot use information in a way which you have not specified);
- Any other information needed to make your use of their information fair;
- That they have a right to access the information and to correct it if it is incorrect;
- Ways in which you may use the information which they may not expect, such as passing it on to other organisations.
The DPA classifies some information as sensitive information, for which there are stricter rules. The following information in relation to the individual is classed as sensitive:
- Racial or ethnic origin;
- Political opinions;
- Religious or similar beliefs;
- Trade union membership;
- Physical or mental health condition;
- Sexual life;
- Offences or alleged offences committed;
- Proceedings related to those offences or alleged offences.
A business can only use sensitive information where it can meet at least one of a narrow set of conditions for processing personal information specified by the Data Protection Act.
There are specific requirements under the DPA in relation to direct marketing. Individuals have the right to stop you using their personal data from being processed for direct marketing. On receiving notice from an individual not to use their information for such purposes, you must comply within a reasonable time.
In addition, the Privacy and Electronic Communications Regulations set out specific rules in relation to direct marketing which all businesses involved in direct marketing should be aware of.
The DPA requires data controllers of businesses (subject to exemptions) to give details to the Information Commissioner’s Office (ICO) about the way in which they process and handle information about individuals. These details will then be included in a public data protection registrar which will show your organisation’s name and your reason for storing the data.
Failure to notify the ICO when you are required to do is a criminal offence.
There is an annual fee payable as follows:
- £500 for companies with an annual turnover of £25.9m or 250 or more employees – this will also apply to public bodies with 250 or more staff;
- £35 for all other companies below the upper threshold.
How long does a notification last?
A single notification will last for a year. If you wish to renew a notification then you must do so within 28 days of expiry.
In May 2018, the GDPR will be binding on all UK businesses and will amount to a stricter data protection regime for which businesses should be preparing now. All UK businesses undertaking business in the European Union will be bound by the new rules, which will include strict requirements around consent, and requirements to delete data quickly to comply with a ‘right to be forgotten’. Individuals themselves will also have greater rights.
There will be harsh sanctions for businesses who breach the provision of the GDPR, with potential fines of €20 million or (4% of worldwide turnover if greater).