Do I need to comply with the Data Protection Act?

If you obtain, store or use personal details from customers, suppliers or other contacts, it is a legal requirement that you comply with the eight main principles of the Data Protection Act to protect people's privacy. 

The eight principles state that the information must be:

  • Fairly and lawfully processed 
  • Processed for specified purposes 
  • Adequate, relevant and not excessive 
  • Accurate, and where necessary, kept up to date 
  • Not kept for longer than is necessary 
  • Processed in line with the rights of the individual 
  • Kept secure 
  • Not transferred to countries outside the European Economic Area unless there is adequate protection for the information.

From a marketing point of view, it makes sense to always ensure your data is 'clean' and up to date. Nothing annoys a potential client more than irrelevant mailings and incorrect details. Obviously, this is not only a drain on your time but on your money as well. 

Individuals can and do contact the Information Commissioner to query how their information is handled, whether a company's data handling process complies with the DPA and worse still, seek compensation for any damage as a result of their data not being processed in line with legislation.

What role does the Information Commissioner's Office play?

The ICO can check that you're complying, force you to stop using the data where there has been a breach of the Act and prosecute those committing criminal offences under the act.  

What if someone asks to see the information I hold on them?

Individuals have a right under the DPA's 'right of subject access' to have a copy of the information held about them.
If you do receive a subject access request, then you must deal with it within 40 days of receipt. You will need to inform them of your processing details along as well as the information you hold on that individual. You can charge a fee of up to £10 for responding to such a request.

The law has changed regarding personal data as of 25th May 2018, with the GDPR (General Data Protection Regulation) coming into effect.

More on legal issues and GDPR.