UK privacy watchdog, the Information Commissioner's Office (ICO) has published a new guide to help businesses understand their obligations under the Data Protection Act.
The Plain English Guide to Data Protection takes a straightforward look at the principles of the Act and provides practical business-based examples, the ICO said.
Too many organisations are still playing "fast and loose" with personal data, said Information Commissioner Christopher Graham.
"This new guide will help organisations comply with the law and demystify data protection," he said.
Stephen Alambritis, head of public affairs at the Federation of Small Businesses, praised the jargon-busting guide.
Getting data protection right makes good business sense, but many organisations find data protection law difficult to understand, he said.
Liz Fitzsimons, senior associate at international law firm Eversheds, said the ICO has made it clear that it will no longer tolerate businesses that claim ignorance of the law.
"The guide means there are no longer any excuses as far as the ICO is concerned," she said.
The guide has a lot to offer, even for the more knowledgeable or experienced reader, said Fitzsimons. "Not least, because it provides an up-to-date view of how the ICO would analyse and consider issues in the event of a complaint or other investigation."
The ICO's top data protection tips for business
- An organisation should say what it is going to do with personal information before individuals provide any details - unless this is obvious.
- Information should only be used for the reason for which it was collected in the first place.
- An organisation should not collect more information than is necessary.
- Information should be kept accurate and up to date - if an organisation is asked to make changes to a person's details, it should do this.
- An organisation should not keep personal information if it is no longer needed.
- An organisation must comply with requests to provide copies of information held on an individual - if asked.
- An organisation must keep personal information secure at all times.
- An organisation should not transfer personal details to another country unless adequate data protection arrangements are in place.