Organisations must gain clearance for personal data processing, warns ICO/
As per the Information Commissionerâ€™s Office guidelines, organisations are required to register with them annually and detail any data processing intentions they may have, prior to commencement of any activity. Those that donâ€™t are guilty of an offence under UK data protection laws.
Under the Data Protection Act (DPA), organisations cannot process personal data unless they have notified the ICO of their planned activities and have been included in the watchdog’s “Data Controller Register”, subject to some exceptions. One exception is where an organisation only processes personal data for staff administration purposes.
As part of the registration, organisations must provide the ICO with “a general description of measures” they plan to take to ensure personal data is properly secure and which protects against the risk of “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” .
It is a criminal offence to process personal data without an appropriate entry on the data controller register unless an exemption applies. It is also a criminal offence to fail to notify the ICO of any changes to the data controller’s processing; or to process personal data which is inconsistent with the organisation’s registry entry.
Data protection law specialist Danielle van der Merwe of Pinsent Masons, the law firm behind Out-Law.com, said that proposed changes to EU data protection laws could bring an end to the notification requirement.
“The proposed General Data Protection Regulation, which is set to change the EU data protection regime, currently includes a provision which will ease the regulatory burden on data controllers by scrapping the need for organisations to notify with their local data protection authority,” she said.
Under the draft Regulation many large businesses and those with personal data-heavy processing operations would be required to appoint dedicated data protection officers whilst businesses would also be required to keep a record of their personal data processing and provide the information upon request to regulators. This is where Absolute Data can help.
Absolute Data runs a service called DataWise. DataWise is committed to ensuring companies and organisations, regardless of their size, create and follow realistic data protection policies and procedures that are above the law. We can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. We can either provide clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches, or a retained consultancy service, whereby one of our dedicated staff members works onsite with your staff for a pre-agreed number of days per week.
Please feel free to get in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at firstname.lastname@example.org, or call us on 01423 790125.