There are a number of basic requirements for the
U.K. Data Protection Act of 1998
and some are extremely demanding. As a minimum, every organization that is going to process personal data (and this means any data relating to a living human being, not to an organization) must register with the Information Commissioner (www.ico.gov.uk) and describe, in the registration, what the purpose of processing this data is. It must be a permitted purpose. Registration is annually renewable and, once registered, you must comply with the purposes for which you've registered. That's the easy bit. The more complex bit is, in essence, that you must comply with the eight
principles of the Data Protection Act
. The eight principles are that personal information must be:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Not transferred to other countries without adequate protection
The ICO has comprehensive information (http://www.ico.gov.uk/for_organisations.aspx) and the BSI Data Protection Guide provides comprehensive guidance.
Expert Alan Calder responds to a reader’s question: Must companies outside the EU change their websites to comply with EU cookie regulations?
Alan Calder discusses PCI credit card compliance and explains the importance of encryption to credit card data protection when primary account ...
Expert Alan Calder explains the security and compliance challenges for call centres that record telephone conversations and credit card details.
Read more on Regulatory compliance and standard requirements