The Information Commissioner takes a stand

24/03/2011

By Henar Dyson, Senior Associate in Corporate & Commercial

Recent cases show that data protection has become an area of genuine concern for all businesses. More worryingly, it is now a subject to be considered under the heading of ‘risk management’.

The Information Commissioner (the IC) has, for the first time, exercised his power to fine organisations that do not handle personal data according to the rules of the Data Protection Act 1998. The first fines, of £100,000 and £60,000 were handed out in November 2010.

Businesses should assess their own data protection policies. Here are some suggestions to consider:

appoint a senior person with sufficient authority and understanding of the business to conduct a risk assessment and to lead on compliance;
ensure that you have registered with the IC and that you renew the registration annually;
identify the personal data that the business holds - client databases, data stored in mobile phones and data about your employees will all be personal data;
identify the ways in which personal data flows and consider whether policies are needed to control this or if improved security should be put in place;
is personal data processed externally, even using cloud computing? For example, where payroll has been outsourced, the employer is still responsible for the proper processing of that data.

Businesses should be wary if they are currently treating data protection as a box to be ticked on a compliance checklist. It will be an ongoing requirement to regularly review your data protection processes. Adverse press coverage impacts on the bottom line, as would the maximum possible fine of £500,000.

A useful place to start is the IC’s website: www.ico.gov.uk.

Contact the team

Henar Dyson

The Information Commissioner takes a stand

Contact the team

Links

Knowledge