Data Protection: Have You Registered with the Information Commissioner?
Registration with the Information Commissioner is mandatory if you control data about individuals which is not for the purpose of staff administration; business accounts and records; or marketing activities for your own business. If you do these things for someone else, or if you use personal data for any other purpose, and the records are held electronically, you must be registered to comply with UK law.
For example, if your business has a social club, and you keep computer records of members, you are not exempt from having to register. If you are a marketing consultant, and hold personal records of your clients’ customers or targets, you are not exempt either. If you are not sure whether you are exempt, check out the Data Protection Basics page at http://www.ico.gov.uk.
When you register, you are required to notify the Commissioner of the type of information you hold and how you use it. After this you must notify of any changes either to your own details or how you are processing data. You must keep your data accurate and up-to-date for the duration of time that you need it, keeping it no longer than is necessary.
You also have a responsibility for the security of the data you hold, and new penalties have recently been introduced by the Information Commissioner’s Office that gives the Commissioner power to impose a fine of up to half a million pounds for serious breaches of the Data Protection Act.
Yes, that’s £500,000!
This maximum amount will only be imposed in very substantial cases which might be damaging or distressing for the individuals concerned, and where the data controller acted unlawfully or failed to take reasonable steps to stop it happening. But even a fraction of that penalty could have serious implications for your business.
Be warned. The onus is on you to ensure you remain compliant with the Data Protection Act 1998.