Data protection compliance - the basics
‘Data protection’ is about handling information about people, such as customers, clients and employees, in a way that is open, transparent, secure and fit for the digital era. Meeting their expectations will enhance the level of trust and confidence they have in an organisation and good information governance may save both time and money.
- Information about living individuals (for example, staff, customers, volunteers, club members, potential clients, or members of the public) is ‘personal data’.
- Collecting, storing, recording and using personal data either electronically or in hardcopy is ‘processing’.
- Any type of organisation, such as a business, company, charity, club, association, online retailer, sole trader, etc. that decides what personal data is needed to operate or provide the service, why, and how it is processed, is the ‘controller’.
- Another organisation or company that the controller engages to provide particular services which involve the processing of personal data, such as direct marketing, accounting, payroll provision, recruitment, research, IT provision, is a ‘processor’.
Who must comply?
All controllers must comply with the law - it does not matter how big or small the controller is, what the controller does, or how many staff, customers or clients, etc. it has.
(Processors have particular obligations under the new law which are not covered on this page. Find out more)
How to comply
In order to comply with the law, controllers must understand and demonstrate:
- Why they legitimately use personal data (the purposes) and how it flows in and out;
- What the minimum necessary personal data needed to fulfil each of those different purposes is, and how it is kept accurate and up-to-date;
- Whether any personal data is disclosed to named third parties, and in what circumstances;
- What security measures are needed to protect the personal data (this may vary depending on the particular purpose and what type of personal data is being processed);
- How long that personal data must be kept for the particular purpose.
In summary, this is known as ‘complying with the principles’.
Controllers are accountable for and must be able to demonstrate, compliance. Some form of record showing how they comply should be kept and reviewed and updated as necessary. There is no standard format but the record should be understandable to the controller and as simple or complex as needed.
Such a record will also help controllers comply with their other obligations including complying with the rights of individuals, such as the right of access, the right to erasure and the right to object.
Transparency (fair processing notices)
Individuals have a right to be given information about the use of their personal data and most of the information required for fair processing notices can be found in the details the controller has recorded about the processing being undertaken.
Controllers must give this information to individuals in clear, concise and plain language and it must contain details of their rights, including the right to complain to the Commissioner.
Registration is a component of compliance and controllers must register if:
- Personal data is automatically processed by the controller (or on its behalf by a processor); and
- The purposes for that processing are for more than just:
- Administering its own staff;
- Managing its own accounts.
Examples of where registration is required include:
- Installation of CCTV or use of other surveillance equipment, such as body-worn cameras, dash-cams, vehicle tracking
- Use of electronic communications for direct marketing to individuals (Email/SMS etc)
- Anti money-laundering obligations
The controller, having established the purposes for processing personal data, will know whether registration is required. In most cases controllers will need to register and a fee is usually payable.