Marc Dautlich, solicitor at law firm Olswang, says companies needn’t panic, as the Act is relatively easy to comply with. ‘To be honest, 75 per cent of it is just common sense; all it demands is a little bit of attention,’ he says. ‘Look at your processes in using personal information and appoint someone to oversee your data protection policy.’
‘The obvious concern for large and small organisations is data security, which is really easy to protect,’ says Dautlich. ‘If you have any personal information about employees or customers on a computer, make sure you encrypt it in case that information gets lost.’
Customers have the right to request a copy of the information you are holding about them, which must be sent within 40 calendar days. Breda Corish, head of market development (materials & healthcare, ICT & electronics) at business services organisation the British Standards Institution, says this is the main reason for companies breaching the act: ‘If a business has no-one to deal with such queries, they may be scrabbling around to find the relevant information and miss the deadline. Just by having a policy in place to deal with such requests, the ICO will look more favourably on your case should you be investigated.’
For Michael Evans, solicitor at Davenport Lyons, one of the keys to not falling foul of the Act is to correct errors on your information database promptly. ‘For example, if you have been informed that you are sending material to someone who has died, correct your database immediately. If you don’t and someone complains because they are continuing to receive correspondence and you have caused them distress, this could be viewed as a breach of the Act.’
Inform the ICO
Organisations are obliged to notify the Commissioner of the data they process unless it is for core business purposes, in which case they may be exempt. ‘There is a small but growing number of businesses that are being prosecuted for this, but forms are easy to obtain and complete from the ICO online,’ says Dautlich.
You must not send your customers unsolicited marketing information. If you have a website, put a box on the site asking for their permission for you to send them future correspondence. You should also ask your customers the same question if you are speaking to them over the phone or face-to-face.
There are also obvious business reasons for complying with the Act. Even if a customer doesn’t make a formal complaint, you may risk losing their business by mishandling their data. According to Corish, compliance can have the hidden benefit of enhancing marketing strategy: ‘By building up a bank of quality information you should be able to more appropriately target your customers.’