The Data Protection Act and your business

The Data Protection Act and your business
How to avoid a £500,000 fine

If your business uses or holds databases, emails or spread sheets of customer information, then the Data Protection Act 1998 (DPA) will most likely apply, as this information will usually be used or 'processed' in some way.

The DPA is administered by the Information Commissioner's Office and holds all registrations that companies have made under the Act.

Fines of up to £500,000

If you fail to comply with the act then you could face heavy penalties. Failure to comply with the DPA could mean a fine of up to £5,000. Although in serious breaches of the Act, the ICO can impose a fine (with no recourse to the courts) of £500,000.

In essence the DPA compels your business to:

  • Only collect information that you need for a specific purpose.
  • Keep the information collected secure.
  • Ensure that the information your business holds is relevant and up to date.
  • The information held must only be what your business needs, and the information should only be held for the minimum time your business needs it.
  • Anyone that your business holds information about has the right to see this information at any time.

Note that the DPA applies to living individuals that you hold paper and/or electronic records about. Information can include their name, date of birth and address. But other information is also covered by the Act. A full definition can be found on the ICO website.

Basic registration is £35. Be aware that some bogus registration companies may try and charge more. Avoid these and register directly with the ICO.

Key DPA definitions

It is important that your business understands what 'personal data' means in the context of the DPA to allow your business to decide whether it needs to register. Under the DPA, personal data means information which:

  1. Is being processed by means of equipment operating automatically in response to instructions given for that purpose.
  2. Is recorded with the intention that it should be processed by means of such equipment.
  3. Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.

Sections one and two above make it clear that information that is held on computer, or is intended to be held on computer, is data. However data recorded on paper is also included under the act, if you intend to put it on computer at a later date.

There are a number of exemptions to the DPA that your business should be aware of. The Act does not apply to:

  • Organisations that process personal data only for a) staff administration (including payroll) b) advertising, marketing and public relations (in connection with their own business activity)
  • Accounts and records.
  • Some not-for-profit organisations.
  • Organisations that process personal data only for maintaining a public register.
  • Organisations that do not process personal information on computer.

Actions to take

Much of the DPA is commonsense, but your business should ensure that it fully understands the key requirements of the Act and puts in place systems to ensure its demands are met both online and offline – the DPA has multiple rules on the physical and secure protection of data, both on the business premises and when data is sent out of the business.

The ICO has a training checklist that includes the following advice about keeping personal data secure that your staff should follow:

  • Keep passwords secure – change regularly, no sharing.
  • Lock / log off computers when away from their desks.
  • Dispose of confidential paper waste securely by shredding.
  • Prevent virus attacks by taking care when opening emails and attachments or visiting new websites.
  • Work on a 'clear desk' basis - by securely storing hard copy personal information when it is not being used.
  • Visitors' should be signed in and out of the premises, or accompanied in areas normally restricted to staff.
  • Positioning computer screens away from windows to prevent accidental disclosures of personal information.
  • Encrypt personal information that is being taken out of the office if it would cause damage or distress if lost or stolen.
  • Keep back-ups of information.

The DPA is not designed to impose masses of restrictions on your business, but to ensure that any personal information your business does hold about your customers is properly managed and is secure. It is important that your business registers as soon as it can if the DPA applies.

In addition, the ICO's website contains all the information you need to help your business decide whether registration is needed including full definitions of what data the Act covers.

You can also contact the ICO directly on 0303 123 1113 or 01625 545745, which is available between 9am and 5pm, Monday to Friday.

Latest in Security
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Latest in News
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is about to make a major announcement about the MCU, and nobody's sure what it'll be
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Samsung Galaxy S25 Edge colors seemingly revealed in new video, and there’s another sign of an imminent launch
Image of Naoe in AC Shadows
Assassin's Creed Shadows best graphics settings for PS5, PS5 Pro, and Xbox Series X
Promotional image for Malcolm in the Middle featuring the original cast playing golf
Malcolm in the Middle's Disney+ revival gets underway as the series finds its cast – here's which characters are returning
Group of people meeting
Inflexible work policies are pushing tech workers to quit
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards