The EU Data Protection Directive (also known as Directive 95/46/EC) is designed to protect the privacy and protection of all personal data collected for or about citizens of the EU. Its aim is to ensure that organisations who collect data respect the rights and privacy of data subjects and treat all personal information carefully and securely at all times.
There are 7 key principles which business owners need to be aware of:
When you collect data about an individual you must make sure that they are aware that you are collecting and storing their personal information, what you are collecting, why you need it and how you intend to use it and protect it.
As you will have given details of your intended purpose at the time of collecting the data (see above) you must ensure that you only use it for that purpose. For example if you have collected information from people for the sole purpose of entering a competition and you have not made it clear that their data will be used to contact them for other reasons after the competition is finished you will be in breach of the regulations.
Now is a good time to review how you seek, obtain and record consent. Do your users state acceptance of a contract or statement of terms and conditions and does this clearly state how you can use and share the information? You cannot decide to sell your database or share it with another organisation later unless you have permission to do so from the owner of the information. There is also a difference between implicit and explicit consent.
Once collected, personal data should be kept safe and secure from potential abuse, theft, or loss. Do you need to conduct Privacy Impact Assessments for particular projects or systems? Are you storing data on servers outside of the EU? If so there are further actions you need to take to ensure that you are operating legally and that your data is safe and secure.
When data is collected you must make it clear to the subject what organisation is collecting the data and who this is for (if not the direct data collector). Therefore if a competition is intended to generate a marketing database for a third party to use later this should be made clear to the participants of the competition.
Anyone on whom you hold information may submit a subject access request and you have a legal obligation to comply with it. They also have the right to have inaccuracies corrected, information erased, to prevent direct marketing, to prevent automated decision-making and profiling. Most of these rights are already covered with the data protection act. A new requirement is also that of data portability which simply means that the data should be provided in a commonly used electronic format.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. You should also designate a Data Protection Officer, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. Your policies and procedures for collection, storage, management and deletion of data should be regularly reviewed, up to date and communicated clearly to all employees.
The ICO has provided a 12 step checklist to help businesses prepare for the new regulations which will be fully enforced by the end of next year.