Norwich Law firm warns risk of non compliance

Norwich law firm Leathes Prior are warning that many are still not taking data protection seriously enough.

Since the Data Protection Act 1998 became law on 1 March 2000, many small to medium sized businesses have adopted a decidedly laissez faire attitude towards compliance, generally perceiving the Act to be a toothless tiger.

However, with the assistance of the magistrates' court, the OIC has recently dispelled this myth, by unleashing a warning shot across the bows of all businesses in England & Wales when a Rochdale business was ordered to pay a £3,150 fine and £3,500 costs after the firm failed to notify under the Act.

Richard Fox, a specialist in Data Compliance at Leathes Prior commented "The Data Protection Act affects business far more than they realize. For example, under the Act, irrespective of size, all business organizations that collect, use or process customer &/or employee personal information are required to notify such processing with the OIC at a nominal cost of £35 per year. Even if businesses have notified, failure to process data in accordance with their notification is also a criminal offence, potentially leading to fines in excess of £5,000. To ensure compliance with the Act, businesses should appoint a data compliance officer and implement a data protection policy, advising managers and staff how to legally process customer &/or employee data on a daily basis".

Irrespective of the size of an organisation, most businesses undertake some form of customer data collection and direct marketing of their products and services to new and existing customers. Prior to collecting customer data, businesses must prominently display or otherwise make available to the customer a data protection notice, explaining eg: how and for what purposes the business processes such data. Further, in order to market in accordance with the Act and various subsidiary legislation, businesses must ensure that appropriate 'opt-in' and/or 'opt-out' data collection notices are included prominently on all marketing literature sent to customers.

Mr. Fox went on to say "It doesn't end just with marketing, in addition to this, business must ensure that they comply with the Act when considering security of customer &/or employee data and the outsourcing of such data to third parties, such as IT consultants, PR companies, Pay-roll administrators."

Consider this: The Rochdale business was only found to be in breach of the Act for failure to notify: Businesses should note that each breach of any aspect of the Act (such as failure to notify) can lead to a £5000 fine on summary conviction and unlimited fine on indictment.

If you require advice on any of the above areas or guidance on what steps your business should take to ensure compliance with the Act, please contact Richard Fox at Leathes Prior. Richard is a commercial solicitor, who specialises in data protection compliance.