12 things all businesses need to know about the Data Protection Act 1998
Data protection compliance in any business relies on a good information management culture being in place; without this and without any staff training in data protection or information management, the organisation is open to risk of a data breach occurring, along with potential financial and reputational damage.To help avoid a data breach, here are my top 12 do’s and don’ts for any business holding and using personal information.
- Only allow collection and storage of personal data when there is a genuine and valid business reason for doing so.
- Give all new starters an induction on best practice data protection and information management.
- Provide staff with annual awareness training on the principles of the Data Protection Act and how to work practically within them.
- Have a business process where individuals are advised why their information is being collected, what it will be used for, who will have access to it and whether it will be passed to any other organisations.
- Keep your Data Protection and Information Governance policies up to date, review them every 2 years.
- Make sure staff know how to recognise a request from someone for their personal information(subject access request) and what to do about it. The law gives organisations 40 calendar days to comply with the request.
- Allow the use of personal information for other purposes if you’ve collected it specifically for something else.
- Allow access to, or share sensitive personal data, with colleagues who don’t need the information to do their jobs.
- Keep personal data for any longer than necessary – chances are that old emails hold personal data and are breaching Principle 5 of the Act.
- Leave files or hard copy documents containing someone’s personal information out on desks when they are vacated.
- Transfer personal data to other countries without checking there will be adequate protection or agreements in place.
- Collect and process medical or other sensitive personal data about anyone without that person’s permission.
If you would like to seek profession advice about Data Protection click here
Melody is an established and experienced Data Protection and Information & Records Management specialist with 13 years’ experience of working within the Public Sector, and the owner and Director of her own information management and data protection consultancy and training company, M2M Consultants Ltd. Melody will be providing a regular blog giving the best practice guidance and advice to help organisations work practically and in compliance with data protection regulations and information management laws.