Date published: 12 August 2008

The Data Protection Act: what does it mean to me?

It’s been around since 1998, and all UK businesses should have been fully compliant since October 2001.  So just what is the Data Protection Act and how does it affect Welsh businesses?  Does it apply if you’re only a very small business?  What measures do you need to take in order to protect personal data?

The Data Protection Act 1998 is based on an EU directive requiring member states to protect the rights of people to “privacy with respect to the processing of personal data”.  It essentially governs the appropriate use of personal data by any organisation holding it.  Overseen by the Information Commissioner’s Office (ICO), contravention of the Act by any organisation could mean:

  • A £5,000 fine (unlimited if prosecuted in a Crown Court)
  • In many instances it will constitute a criminal offence

Any personal information that can be used to identify the individuals concerned is covered by the Act.  This applies to all Welsh businesses dealing with individuals, be they members of the public, employees of business partners/suppliers or even their own internal staff.

Beware of becoming a criminal yourself

All organisations have a responsibility to adhere to the Data Protection Act, which typically involves having 100% control and security over IT systems and databases.  Should they fail to do so, they could be committing or facilitating an e-crime.

Holding personal information carries a series of legal responsibilities under the terms of the Act. 

  • ‘Data-controllers’ have to notify the ICO about how personal data is held and processed, what kinds of data are held (particularly if these are deemed ‘sensitive’ i.e. related to health records, ethnic origin, trade union membership or political opinions) and what purposes they are held for.  This notification will be placed on a public register. 
  • Personal data must be held and used in strict accordance with the eight principles of the Data Protection Act.  These require that information is:
    • Fairly and lawfully processed;
    • Processed for limited purposes;
    • Adequate, relevant and not excessive;
    • Accurate;
    • Not kept longer than necessary;
    • Processed in accordance with individuals’ rights;
    • Kept secure;
    • Not transferred outside the European Economic Area without adequate protection.
  • Individuals requesting access to information concerning themselves must be answered. (You may be able to charge a fee of up to £10 per request for this.)
  • Individuals must also be informed when their information is collected.  Collection of data can only take place when an individual’s ‘specific’ and ‘informed’ consent has been signified positively.

Many organisations have broken the Data Protection Act and suffered the consequences, both in terms of fines and sanctions but also the more damaging issue of a tarnished reputation.  The law exists to protect consumers, so companies that break it are justifiably held in poorer regard. 

Stay secure to stay legal

As well as having appropriate policies in place to remain in accordance with the Act, one of the most important actions Welsh businesses can take is to ensure any personal data held remains secure.  Failing to respect the privacy of personal data strikes at the heart of what the Data Protection Act was designed to accomplish, and leaves an open door for e-criminals to walk through.


e-Crime Wales Partners

Dyfed Powys Police
Gwent Police
North Wales Police
South Wales Police
Airbus Defence & Space
WG Footer logo
Federation of Small Businesses
Get Safe Online
Morgan Cole
University of Wales, Newport