recent work

Robust data protection procedures a necessity for membership and sport Businesses

The Information Commissioner is hammering down hard on organisations that fail in their data practices.  Large fines of up to £500,000 are being imposed on organisations that are often unwittingly in breach of the law; this article explains how you can remain above it.

Are your data protection practices above the law?

The Data Protection Act 1998 (DPA) was designed to establish a framework of rights and duties that must be adhered to in order to safeguard personal data. The Information Commissioner’s Office (ICO) is the UK’s regulator responsible for ensuring organisations comply with the DPA and whose powers include imposing monetary fines of up to £500,000 where the security of personal data is put at risk.

Most organisations processes personal data – they collect it, use it, disclose it, buy it, store it etc. and they are breaking the law if they have not notified the ICO about their data processing.  But compliance with the law goes much further than that and the ICO is hammering down hard on organisations that cannot prove that they have sound information governance in place.  i.e. that their staff are regularly trained in this area; they have data policies and procedures in place; the infrastructure to audit their data processing practices; and generally that they have a risk assessment approach to privacy protection.

How do I know if I might have a problem?

There are some simple steps to assess if you are likely to be running un-necessary risks: here are perhaps the top 10:-

  1. Do we have a notification and how often do we check it?
  2. What purposes have we notified?
  3. What do we do to check whether we comply with the data protection law(s)?
  4. Do we have privacy policy, where is it, and is it fair and lawful?
  5. Do new starters have a DPA element to their induction?
  6. Do we train staff in our data protection policies and DPA in general at least annually?
  7. Do we have a list of what the data we process, what it comprises, where it is, and who has access to it?
  8. What do we do to check how secure our IT is – all of our IT not just our servers?
  9. Are our IT or computing suppliers (e.g. backup, hosting, Cloud, repairs etc.) on a sound agreements with us?
  10. Do we have a process for risk assessing data protection and privacy issues?

If you are not sure how you shape up against this quick list, then you may be running risks – contact us now for further information.