HOW TO: Meet data legislation

Meet data legislation

Understanding and acting in accordance with data legislation is vital but, at times, confusing. Steph Barber, head of law at Law Hound provides five tips to understanding your data

Data legislation in England and Wales stems from the Data Protection Acts although various legislation, such as Privacy and Electronic Communications Regulations, also applies.

This places obligations on us about collecting, using and storing personal data and gives rights to data subjects (the people we hold data about). To ensure data legislation compliance follow these steps: 

1. Understand protected data

Protected data is personal data, which is information from which a living individual is identified or could be identified when considered together with other information you actually hold or could come into your possession, such as name, address/email, phone number or date of birth. Sensitive, personal data relates to:

• Racial or ethnic origin.

• Physical or mental health or condition.

• Criminal offences or record.

• Sexual life.

• Political opinions.

• Religious beliefs.

2. Why is data protected?

Data legislation aims to create a balance between an individual’s privacy rights and using data for business, and applies when personal data is recorded and processed, either manually or by computer. This is an important aspect of data protection legislation that is frequently missed. If you maintain electronic records only by client number, but that number relates to a paper file that contains personal information, the file is part of a ‘data system’ and constitutes protected data under the Acts.

How? The primary legislation has eight principles in that personal data:

1) is fairly and lawfully processed, satisfying one of the Act’s conditions for processing.

2) is obtained for lawful and specified purposes and only processed for those purposes.

3) is adequate and relevant but not excessive.

4) is accurate and, as necessary, kept up-to-date.

5) is not kept longer than is necessary for the purpose it’s processed for.

6) is processed in accordance with data subject’s rights.

7) has had appropriate technical and organisational measures applied to avoid unauthorised or unlawful data processing or accidental loss, or destruction of, or damage to it.

8) is not transferred outside the EEA unless the place it is transferred to has an adequate level of protection for the rights and freedoms of data subjects in relation to that data. 

You can only process data if you obtain consent from the data subject or prove it is necessary:

• because of a contract the data subject has entered or is considering entering.

• because of your legal obligations.

• to protect a data subject’s ‘vital interests’ (life or death).

• to administer justice or exercise statutory, governmental or public functions.

• because of ‘legitimate interests’. 

Sensitive personal data requires additional care, so can only be legally processed if very specific conditions are met, for example:

• The data subject has given his or her explicit consent.

• It is necessary to establish, exercise or defend legal rights.

If you collect, store and process personal data then you will probably need to be registered with the Information Commissioner’s Office (ICO).

3. Know what data you store

As a business do you really know what data you collect and store? When was the last time you reviewed this?

Ensure the data you collect is relevant but not excessive. A way to do this is by only collecting data you need to conduct your business; is lawful for you to have and ensuring the data subject knows you have the data and what you’re going to do with it.

Don’t hoard data because it might be useful one day. Make sure you can confirm you use the data for a legal condition and that you delete and destroy data once you no longer need it.

4. Ensure you can use data

Just because you have data doesn’t mean you can use it in any way you like. For example, you need your employee details to pay them, but that does not mean you can put information about them on your website without their permission. Ensure the data subject has given you permission to use the data in the way you do.

5. Data storage and access

Having established what data you need and use, limit access to those who use it. You need to confirm you know who needs access to the data and why.

Are you storing and accessing the data properly? Ensure it is stored safely and securely and everyone in the business knows what to do if someone asks them for personal data. Having followed the steps and confirmed your compliance don’t forget to have the relevant proof.

Related content

Access full article

Propolis logo white

B2B strategies. B2B skills.
B2B growth.

Propolis helps B2B marketers confidently build the right strategies and skills to drive growth and prove their impact.