With fines up to £500,000 being a possibility depending on the level of breach it is something that start-up business owners have to take into serious consideration as you will more than likely have some data protection responsibilities, even if only on a small scale at this stage of your career as a business owner.
The Data Protection Act 1998 has eight key principles that you should be aware of as the owner of a business. Each relates to how organisations handle personal information. If you hold some personal data, of employees’ or customers, you are the ‘data controller’ in the eyes of the law as the owner of the business.
Personal Information must:
Be processed fairly and lawfully: You must advise the individual of your business name and the purpose for which their information will be used. You must also make them aware that they can access and correct any information you hold and tell them if the information is to be used in a way that is not obvious, such as being passed to a credit reference agency.
Be processed for specified lawful purposes: You must have a lawful reason for collecting an individual’s data and it cannot be speculatively collected.
Be adequate and relevant: Only collect the bare minimum of data, data that is relevant to your purpose. You are not entitled to collect any more information than that.
Be accurate and up to date: Any information you hold relating to an individual must be up to date and completely accurate. You must allow individuals the right to easily access and update any information that changes.
Kept for no longer than necessary: If you are collecting data for a specific period you must not keep the data for longer than the specified length of time. You should explain to individual’s how long their data will be kept where applicable.
Processed in accordance with individuals rights: The Data Protection Act clearly sets out the rights of individuals and your responsibilities as the data controller. Please be aware at all times of these rights and always act in accordance with them.
Be kept secure: All data that you hold on an individual must be kept in a secure location and should be safe from any unlawful processing, loss or potential tampering of information. You should develop processes that secure personal data within your start-up company.
Not transferred outside of the European Economic Area without protection: You may only legally transfer personal data outside of the EEA if the country it is being transferred to has the required level of legal protection for the individual.
You are also required to notify the Information Commissioners Office (ICO) of your activities in a number of cases. There are exemptions however if you only process personal information and data for staff administration, payroll, advertising or marketing and PR. You are also exempt if you only process information in order to maintain a public register, you are head of a not-for-profit organisation or you have no automated system in place to process data.