What is the Data Protection Act

The law that controls how personal data is used by organizations, companies, or the government is the Data Protection Act of 1998. The Act deems you a “data controller” if you keep or process personal data in particular ways. As such, you required to register with the Information Commissioner’s Office and follow stringent rules while handling personal data.

What type of business does the Data Protection Act affect?

The Data Protection Act covers a lot of ground. It does not only apply to particular types of businesses or even to businesses in general; if private individuals use data in certain ways, they may also be subject to its rules.

Thus, to use just two instances, a retail establishment that collects client addresses as part of a loyalty program and a daycare center that maintains records of the children in its care both must abide by the Data Protection Act’s regulations.

The Act, however, only applies if you have put or intend to put this information in some fashion on a computer; therefore, if your business is one of the very few that doesn’t use a computer to keep the information, it won’t apply to you.

How do you register with the Information Commissioner’s Office as a ‘data controller’?

Here is the registration page for the ICO. It finished in one sitting and takes about 15 minutes.

You will then prompted to make a payment, which for most firms will be a $35 annual fee. This only increases to £500 if you are a major company with a turnover of more than £25.9 million and at least 249 employees.

Who is exempt from the Data Protection Act?

If you use data for solely domestic or private purposes, such as maintaining an address book or a phone contacts list of your friends and family, you do not need to register. The Data Protection Act does not apply to people who post their vacation photos on Facebook. You should avoid it if:

For internal, routine business operations like employee payroll, your corporation keeps personal information.
If you legally collected the personal information and received authorization, your company may use it for advertising, marketing, and PR purposes related to your own business.
You are the manager of a small, nonprofit organization, such as a club or small charity, and you exclusively use the information in conjunction with managing your business (more detail on this can be found here).

On the website of the Information Commissioner, there is a self-assessment guide that asks you a series of straightforward yes/no questions and can help you determine if you need to register or not. It shouldn’t take you more than five minutes to complete.

What happens after I’ve registered?

After registering, your company will show up on the ICO website’s publicly searchable database of data controllers, allowing users to examine the details of your company and the purposes for which you plan to use personal data.

Every time you store or use personal information, you as a registered data controller required to follow a set of eight principles that established in the Data Protection Act. It may seem overwhelming at first, but the principles written to prevent businesses from utilizing customers’ data for improper or harmful purposes, and they meant to stand on their own.

It is uncommon for businesses to violate the Act’s principles if they are upfront with their customers about the data they are collecting, what they plan to do with it, and how they will utilize it.

What do I need to do to comply with the Data Protection Act?

Once you have registered, you must adhere to the eight principles for the storage and use of data set forth in the Data Protection Act in order to remain in compliance with the law.

Although they are meant to be self-explanatory, we have provided advice to help you understand and adhere to each one when there are subtle differences.