SMEs failing to comply with Data Protection Act

The majority of small companies that operate websites are exhibiting low levels of compliance with the Data Protection Act that came into effect in October 2001. And even those that show high levels of compliance are doing so "more by accident than design."

This is the verdict of a study commissioned by the Office of the Information Commissioner (OIC).

The Data Protection Act covers the processing of personal data through eight basic principles. Data must be fairly and lawfully processed, accurate, relevant, secure, processed for limited purposes, not kept longer than necessary, processed in accordance with the subject’s rights and not transferred to countries without adequate protection.

The report – Study of Compliance with the Data Protection Act (1998) by UK based websites – discovered that general awareness of the Act was good across all sizes of companies. However, small companies, particularly those that have extended their existing activities onto the web, were found to be far from fully compliant.

This situation should cause owners and managers of SMEs some concern as the penalties for failing to comply are not insubstantial. They can expect fines of up to £5,000 plus costs in the Magistrate’s Courts (and an unlimited fine in the Higher Courts) for certain breaches of the act.

Luckily, UK online for business, the Government e-commerce agency, offers helpful guidelines to ensure SMEs can conduct the appropriate internet compliance.

For instance, it suggests SMEs should provide visitors to their websites with an “opt-in” box in relation to questions regarding the receipt of marketing emails and newsletters. It also suggests placing an explanation on how to “unsubscribe” from these services.

Establishing a “privacy policy” and explaining it clearly is also crucial as it both complies with the Act and reassures customers.

A privacy policy could include telling users how personal information will be used (before it is submitted) and informing users if there are “cookies” on a site (cookies can collect certain personal details without users being aware of it). See also: Three steps to writing a cookie policy for your website

If SMEs share data with other organisations, providing a tick-box that enables users to prevent their details being disseminated is another useful strategy to deploy to comply with the law.

For more information on the Data Protection Act and to comply fully, go to Data Protection Gov.UK

Update: Does the Data Protection Act affect you?

Related Topics

Data Protection