The Act is designed to give individuals certain rights – such as to “be informed upon request of all the information held about them ” – and “requires those who record and use personal information (data controllers) to be open about their use of that information.”
The Information Commissioner (IC) points out in its compliance advice that the Act makes no particular allowance for small businesses. It is the personal information that a business holds in relation to its business activities which is the important issue.
The IC does recognise that “those running small businesses work under a great deal of pressure.” While these businesses may find the Act a bureaucratic burden, the IC states that the Act will help them establish a good set of operating practices “which will be of considerable benefit to … business generally.”
However, there are two notable changes being brought into force that Jodie Sanger, Direct Marketing Association (DMA) Legal Affairs Manager, has pointed out that might cause direct marketers (of all sizes) problems from 24 October.
The first area relates to transferring data outside the EEA [EU countries plus Norway, Iceland and Liechenstein]. Under the 1984 Act, there were no restrictions on transferring data outside Europe. The introduction of the 1998 Act has meant that transfers such as this “may not take place unless the country to which the transfer is being made has an adequate level of data protection.”
Sanger pointed out that once the transitional period has come to an end, “the onus is on the data controller to ensure this level of protection is provided before the transfer is made. Failure to do so will amount to breach of the Act.” To do this will be time consuming for smaller ventures.
The second area of concern relates to manual records or paper files. Sanger sees this area as more crucial to direct marketers and may cause them compliance problems.
According to the Act, during the transitional period, manual records held in a manual filing system before 24 October 1998 are exempt from full compliance until 2007. However, manual records created since this date, which are stored as part of a file and are structured by reference to individuals or by criteria relating to individuals, need to comply with the 1998 Act by the end of the transitional period.
“Many companies hold some form of manual files,” commented Sanger, “These must be organised in such a way that they comply with the provision of the Data Protection Act 1998.”This will present a lot of extra work for small firms.
Not complying with the act though is not an option as the Information Commissioner confirmed that the penalties for non-compliance can range from £5,000, should the case reach the stage of prosecution, to an unlimited fine in the Higher Courts.
More information on the Data Protection Act here.