Here in the UK, the Data Protection Act (DPA) has been law for 14 years now (the act is dated 1998 and commenced in 2000). Despite this, there are some organisations who are not aware of their obligations to comply, even when it is clear they are handling data which would be protected under the act.
On 11 March, the Information Commissioner’s Office (ICO) announced another fine for a DPA breach, and as with so many cases before it, this was easily avoidable. When it comes to the DPA, very small amounts of preparation really can make a difference.
The latest DPA fine was levied against a Cardiff-based company providing “green deals” energy assessments called Becoming Green (UK) Ltd.
The ICO’s press release reports:
The offence was uncovered when the company was being monitored following concerns about compliance. An ICO case worker noticed Mr Muhith [Green Deal(UK) Ltd’s company director] had not registered the company with the ICO. As Becoming Green (UK) Ltd processed customers’ personal data this was a breach of the DPA.
As a result of this failing, the company director, Mr Abdul Muhith, was fined £597 personally. The company was also fined an additional £597. Although not covered in the ICO press release, other reporting (the Mirror, online) on the company implies that the ICO was investigating as a result of Green Deal Ltd (a previous company run by Mr Muhith) using inmates at an open-prison to run telesales. This behaviour is likely to be seen as putting DPA regulated personal data at risk, justifying ICO involvement.
DPA Registration – what should have happened
As always, we can only work on the published information but it seems that this is a very clear cut example of spending £35 to prevent a £1194 fine. It is especially strange that a company already under the ICO spotlight didn’t take measures to ensure DPA compliance.
The DPA can seem daunting to some people, but the ICO provides a lot of free guidance (or you can engage specialist consultants to help ensure compliance) to help businesses determine what they need to do.
If you aren’t sure if you need to register under the DPA, the ICO website provides a self-assessment tool. This has very simple question sets and helps you quickly work out your obligations.
Should you need to register, this can also be done online and costs £35 a year to maintain. If you decide to risk it and not register, remember you need to last 35 years without being caught before it becomes cost effective…
Basically, registration under the DPA is simple, cheap, easy and a legal obligation. Failing to do so is madness.