Data protection laws may seem onerous for small firms, but not if common sense processes are put in place as early as possible
Data protection and privacy legislation can be a compliance headache for SMEs. It permeates all areas of offline and online business. Small to medium-sized companies are expected to comply with the same regime as larger organisations, even though resources are often stretched just driving the core business, never mind dealing with what many consider to be just "red tape".
Despite this, SMEs cannot afford not to comply with the latest data protection and privacy legislation. The alternative is to face the threat of being made an example of by the Information Commissioner, who is responsible for enforcing the UK legislation. Although limits on his resources mean that, for now at least, his approach to enforcement is likely to be to serve punishment on the worst offenders, it remains in every SME's best interest to ensure they are not in the firing line.
The Data Protection Act covers all data relating to living individuals, irrespective of whether it is held electronically or in hard copy form. It covers how and why data is collected and held, as well as how it is used and disclosed, particularly more sensitive data, such as that which is health-related. Almost all businesses process personal data in some way, putting them into the category of data controllers under the act.
The first job for the data controller is notification. This involves alerting the public,via a register published online, about any personal data the company processes andf or what reason it is being collected.
Costing £35 annually, the register can be completed online. Although there are some cases where organisations are exempt from having to register details, any business dealing with customers will almost certainly have to provide notification. The easiest way to do this is to fill in the self-assessment questionnaire at www.informationcommissioner.gov.uk, prior to making notification online, if necessary.
The next step is to ensure the business is complying with the so-called eight principles, which are summarised at www.informationcommissioner.gov.uk/eventual.aspx?id=2042. The website also proves a series of usefulaudit resources to help companies review their level of compliance.
Once these initial steps have been taken, it is important to remember that compliance is an ongoing matter, to be regularly reviewed. Generally, it is easiest to get consent for proposed uses of personal data and the parties to whom it will be disclosed at point of collection, for example by providing notice onan online form with a tick box.
If data is to be transferred out of the UK, make sure this is covered by the notice. Also, implement checks to ensure data is up-to-date and held securely. Use passwords for electronic files and locked cabinets for paper-based ones.
Requests may be received by companies from individuals seeking to find out what data is held on them. Organisations now have a legal duty to supply this information within a given time frame, so it is essential not t odelay. Appoint or assign someone to deal with these requests effectively and efficiently.
Meanwhile, the recently introduced Privacy Regulations are placing further constraints on methods traditionally used by SMEs to expand their customer bases. With mailshots and other direct marketing activity a key part of many small business marketing strategies, SMEs have to be aware of the new restrictions.
The practice of customer list buying/selling/swapping is now extremely difficult to achieve lawfully and opt-in consent is required for certain types of unsolicited electronic marketing. The best advice is to plan campaigns carefully and ensure appropriate consents have been received. Always allow customers to opt out of receiving further material.
The bottom line about data protectionand privacy law is: making sense is often just common sense. Putting in place procedures and processes right from the start will make it easier to comply with any future demands and ensure a professional image is promoted to customers.
Gillian Cameron is an IP specialist with corporate law firm Maclay Murray & Spens