DATA PROTECTION ACT compliance
Data protection is a serious issue for all businesses. The Data Protection Act (the Act) defines personal data as ‘Any information relating to a living and identified or identifiable natural person’. The purpose of the act at a high level is as follows:
- The Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled correctly.
- It states that anyone who processes personal information must comply with eight principles.
- The Act also provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
- Sensitive Personal Data
- Racial or ethnic origin of the data subject
- Political opinions
- Religious beliefs or other beliefs of a similar nature
- Trade union membership
- Physical or mental health or condition
- Sexual life
- The commission or alleged commission by them of any offence, or
- Any proceedings for any offence committed or alleged to have been committed by them
- The disposal of such proceedings or the sentence of any court in such proceedings
In the case of ‘sensitive’ personal data, at least one of the following conditions is also met
- The data subject has given their explicit consent to the processing of the personal data
- The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controlled
If a business handles this type of data and is found to be in breach of the Data Protection Act, not only will they incur possible loss of business and brand damage but they could be subject to a penalty from The UK Information Commissioner's Office (ICO). Amongst its powers, The ICO can issue fines of up to £500,000 and prison sentences for breaches of the Data Protection Act. Additionally, it has the authority to audit government departments without consent.
The ICO work actively with organisations to prevent data loss and historically only issue the maximum fine to the worst offenders, that said, ensuring your organisation complies with the DPA has never been more important.
The purpose of this whitepaper is to give a high-level view of what the Act covers and an outline of the pragmatic approach we take when assisting businesses with data protection and compliance with the Data Protection Act.
We offer a range of services surrounding the Data Protection Act, including:
- Gap Analysis
- In house training
- Help achieving ISO 27001 and improvements to information security
- Products and services that ensure that data is stored, processed and transmitted securely
Our experienced data protection consultants can assess exactly where your current security practices, legal situation and operating procedures are in terms of compliance to the Act. We can identify the steps that you will need to take to bring your business into full compliance with the Act.
A consultant will work with the you and analyse the types of data that fall into the DPA remit and then establish how that data is handled during its lifecycle with your business. This process enables the consultant to analyse all aspects of the data handling processes and identify where the risks of breach are.
Help achieving ISO 27001
Some businesses use the ISO 27001 framework as proof of compliance for certain aspects of the DPA. We can provide consultancy for you to achieve ISO 27001 compliance.
Products and services
To comply with the Data Protection Act sometimes requires technology and additional services outside of what a business currently has, we have the expertise to understand a business’ security posture and the technology gaps they face to adequately provide a sensible and affordable solution.