Data Protection Act - Do You Know Enough?

Data Protection Act - Do You Know Enough?

Are making sure you adhere to the current Data Protection Act?  We detail some of the main elements. If you are using a CRM or collecting and storing personal data of your customers, prospects, suppliers or anyone else’s data in some other format, the Data Protection Act 1998 (DPA) applies to you.

The Data Protection Act is long, complex and regulated by the ICO who provide a detailed explanation and great resources on their website

There are 8 main principles that you really need to be aware of when you collect and store personal data:

1. Personal data should be processed fairly and lawfully
a. Fairly means being open and honest about how you will use the data
b. Lawfully refers to NOT using the data for anything unlawful, criminal or civil

2. Personal data shall be used for the purposes specified only
a. At the time of collecting the data you need to make the person aware of what you will do with the data. If the data is collected from your website, this should be in the Privacy Policy on your website and referred to.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
a. The data you hold must be sufficient for the purposes and no more than that. If you don’t need it, don’t ask for it.

4. Personal data shall be accurate and, where necessary, kept up to date.
a. You must take reasonable steps to make sure the data is accurate and from time to time review the data

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
a. There is no guidance given on what length of time is necessary but it is good practise to regularly review your data and securely delete any records no longer needed

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
a. The person whose data you hold has a number of rights:

1. Right of access to the data
2. Right to correct the data
3. Right to prevent the use of the data if it will cause distress
4. Right to prevent a direct marketing approach
5. Right to prevent automate decisions being made based on the data - this refers to computer decision engines being used in loan applications, for example
6. Right to compensation for a breach of the Act

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
a. Under this principle you must hold and process the data securely, ensuring you and your staff keep it protected at all times by both technical systems and operating procedures.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
a. This is self explanatory, however, if you do have to transfer data must be done securely in accordance with principle 7.

If you are collecting sensitive personal data there are additional principles to adhere to which are detailed on the ICO website.

Alongside the DPA sits the Privacy and Electronic Communication Regulation which sets out extra rules for electronic communications. You can find out more on the ICO website at

The DPA will be updated and replaced by the General Data Protection Regulations (GDPR) which come into force in May 2018. In addition, the Privacy and Electronic Communication Regulations will also be updated.