Skip to main content

The New EU Data Protection Directive

With the coming into force of EU data protection legislation and the rising reputational and regulatory risks from data breaches, please see below a data compliance checklist, which we hope your organisation or business will find useful.
  1.  NOTIFICATION
    • Business registered with the Information Commissioner’s Office?
    • If registered, is entry up to date/relevant/wide enough to cover future uses?
  1. COMPLIANCE WITH DATA PROTECTION PRINCIPLES
    • What personal information is held and why
    • Is the information collected necessary for the purposes for which it is held?
    • How is accuracy of personal information checked?
    • How is information kept up to date?
    • How long is information held?
    • Where is information held?
      1. If on servers, where are servers based?
      2. Is the information secure?
    • What staff have access to the information and why?
    • Is the information disclosed to any third parties?
    • What details are provided when information is collected?
  1. POLICIES
    • Have staff been trained in data protection?
    • Data Retention Policy
    • Data Security Policy
    • Access to Information Policy
    • Subject Access Request Policy
  1. DATA PROTECTION OFFICER
  • Is there a named person/job title with responsibility for data protection?  (Not currently required, but likely to be a requirement when new EU legislation comes into force).
  1. RIGHTS OF DATA SUBJECTS
    • Procedures/guidance in place for dealing with a Subject Access Request?
    • Procedures/guidance in place for dealing with a section 10 Notice (request to delete data that may cause damage/distress)?
© Stone King LLP, October 2014
If you would like further information about the Regulations or if you have any concerns or queries in relation to them, please contact Vicki Bowles, Senior Associate or Brian Miller, solicitor and partner, IP/IT & Commercial.
Vicki Bowles is a barrister specialising in data protection and information management law and Brian Miller is a solicitor at Stone King LLP, providing specialist advice in the fields of intellectual property, IT, data protection and commercial law.
Disclaimer: This article may not be reproduced without the prior written permission of the author. This article reflects the current law and practice. It is general in nature, and does not purport in any way to be comprehensive or a substitute for specialist legal advice in individual circumstances.

Comments

Post a Comment

Popular posts from this blog

Cloud Service Providers Now Subject To Scrutiny Of Assurance Registry

After mounting concerns relating to the security of cloud computing, a new online platform is to enable users to assess the security features of registered cloud providers. The Security, Trust & Assurance Registry (STAR) hopes to encourage providers to improve their data protection security thanks to this increased transparency, as well as aid organisations using the providers to comply with data protection laws. The Working Party drew attention to firm’s lack of control over customer’s personal data when using cloud services. As cloud computing uses an internet based network in place of local computing resources, they stated that there is risk of "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures," by organisations using these providers.          Operated by not-for-profit body the Cloud Security Alliance (CSA), STAR hopes to limit such risks to data protection. The CSA’s members include Google, Microsoft and m
Post a Comment
Read more

Torbay Care Trust Fined For Data Protection Breaches

As a result of breaching data protection laws, the Torbay Care Trust has been fined £175,000 by the ICO. A spreadsheet containing "sensitive" information about the employees' religion and sexuality; as well as names, dates of birth and national insurance numbers was published on to their website. The ICO said that such information was likely to cause substantial damage and/or distress to those who had had their details exposed. What is more, head of enforcement with the ICO, Stephen Eckersley, highlighted that the release of such information put staff at risk of being victims of identity fraud. The breach only came to light when a member of the public reported it 19 weeks after it was posted, the ICO said. The Data Protection Act (DPA) requires organisations to exercise the appropriate organisational measures to eliminate the risk of such sensitive information being used without authorisation. This includes the need to have "effective policies and procedures
Post a Comment
Read more

Jail Sentences for Data Protection Offenders

The House of Commons' Home Affairs Select Committee are encouraging the Home Secretary to introduce jail sentences as a possible punishment for data protection offenders. This is to act as a stronger deterrent than the current, quite ineffective fines.  It is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data", under Section 55 of the Data Protection Act (DPA). But now, personal data has never been easier to access and the risks of information being leaked are an increasing concern. There are many new suppliers of information who are unlikely to understand or take notice of the rules to which they must comply. While the maximum fine for committing a section 55 offence is £5,000 when the case is heard in a Magistrates Court, and unlimited when
Post a Comment
Read more