In this article Dr Maria Anassutzi, Intellectual Property Expert, discusses a different aspect of intellectual property. In particular, the importance of compliance with the Data Protection Act 1998 and provides a clear explanation and useful guide how to ensure compliance.
Compliance with the Data Protection Act 1998 is an issue affecting the great majority of the businesses. Compliance is not voluntary but mandatory and non compliance has severe consequences for a business both in terms of penalties, adverse PR, customer retention all that eventually hit the profits of a business. It is therefore recommended that businesses carry out regular Data Protection Audits to ensure not only that the necessary policies and procedures are in place but also that they are implemented in a correct way throughout the entire business.
How to do it?
First of all, the business should decide who will carry out the audit and document in writing both the audit procedure and the outcome of the audit.
Secondly, the business should decide which parts/divisions of the business as a whole is to be audited and identify those key areas of the organisation that are likely to be particularly involved in the processing of personal data, such as human resources (including payroll, employee benefits and so on), IT (to determine security and contingency measures in place), marketing and customer sales and support.
Next, the business should select who will carry out the audit. It could be external or internal to the business. In any case, the business should:
- Ensure that the person carrying out the audit is independent of the function or department that is audited. The organisation can choose either an external or internal auditor.
- Check that the chosen auditor has been trained to a sufficient level of competence in the skills and know-how required for both conducting and managing audits. This should include: knowledge and understanding of data-protection issues in general, and of the DPA and other legislative requirements in particular and familiarity with assessment techniques (examining, questioning, evaluating and reporting) and management skills (planning, organising, communicating and directing).
- Look for auditors who have demonstrable experience in data protection-related activities.
The audit could be conducted using one of two alternative techniques to conduct an audit:
- Personal interview: This involves one auditor, or several, conducting interviews with representatives from each of the departments selected for audit.
- Customised questionnaire: This involves the development of a customised questionnaire, in which the majority of questions can be answered through the ticking of boxes.
Once the audit information has been consolidated, problem areas for each of the departments will become apparent. Draft department-specific compliance profiles which outline practical ways of correcting non-compliant procedures, and distribute these to the relevant departments for implementation. Compliance profiles should identify:
- The agreed corrective action to be taken in each case.
- The person responsible for ensuring that corrective action is taken.
- The date when the corrective action must be completed.
How to deal with post-audit issues
If the audit discovers any instances of non-compliance, then you should
- Prepare guidelines and circulate them to all employees within the organisation, highlighting compliance issues and providing practical guidance on how to resolve the relevant issue (for example, making it clear that data should only be retained for six months, after which databases should be cleansed). Anassutzi and Co can help you in any step of this process.
- Ensure that employees involved in the collection or processing of personal data attend regular training courses to make sure that the organisation’s privacy practices keep pace with data protection and privacy laws as they develop. The Information Commissioner’s Office (ICO) published a Good Practice Note in the form of a staff training checklist for small and medium-sized enterprises. The note outlines some of the key practical implications of the Data Protection Act 1988, and is intended to be used as a basic training framework for general office staff in such organisations. It addresses, among other things, ways of keeping personal information secure, and how to handle requests from individuals for their personal information. The note also emphasises that staff who have duties relating to marketing, computer security and database management may need additional training.
- Review the procedures regularly to ensure that the compliance issues have been resolved.
This article is for general purposes and guidance only and do not constitute legal or professional advice.