Under the Data Protection Act 1998 (DPA) you must:
- use personal information fairly and lawfully;
- collect only the information necessary for a specific purpose(s);
- ensure it is relevant, accurate and up to date;
- only hold as much as you need, and only for as long as you need it;
- allow the subject of the information to see it on request; and
- keep it secure.
Good information handling makes good business sense, and it provides a range of benefits. You’ll enhance your business’ reputation, increase customer and employee confidence, and by ensuring that personal information is accurate, relevant and safe, save both time and money.
Your business has established an appropriate Data Protection Policy?
A policy will help you to address data protection in a consistent manner. This can be a standalone policy statement or part of a general staff policy. The policy should clearly set out your business’s approach to data protection together with responsibilities for implementing the policy and monitoring compliance. The policy should be approved by management, published and communicated to all staff. The policy should also be reviewed and updated at planned intervals or when required to ensure it remains relevant.
Your business has nominated a data protection lead?
It is good practice to identify a person or department in your business with day-to-day responsibility for developing, implementing and monitoring the data protection policy. Allocating these responsibilities to a data protection lead will help you effectively manage and co-ordinate data protection, and make your business more accountable. The lead should be appropriately skilled and have the necessary authority and resources to fulfil their duties.
Your business provides data protection awareness training for all staff?
Any data security breaches are accidental and result from insider actions. You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required. Specialist training for staff with specific duties, such as marketing, information security and database management, should also be considered. The regular communication of key messages is equally important to help reinforce training and maintain awareness (for example, intranet articles, circulars, team briefings and posters).
If you are not sure where you stand in respect to DPA (Data Protection Act) or the forthcoming GDPR (General Data Protection Regulation) call me now …
Bob Lewis-Basson 07802441728, or email firstname.lastname@example.org