database,data management,legalLeadline

If you hold information about others, you must be licensed under the Data Protection Act 1998 and are regarded as a Data Controller.

Firstly, a data controller is required to comply with the eight principles of good information handling (the Data Protection Principles):

These principles require the data controller to:

1. process personal data fairly and lawfully.
2. obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner which is incompatible with the purpose or purposes for which it was obtained.
3. ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
4. ensure that personal data is accurate and, where necessary, kept up to date.
5. ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
6. process personal data in accordance with the rights of the individuals to whom the information relates.
7. ensure that personal data is kept secure.
8. ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which the information is to be sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.

So what simple methods would we recommend to help protect you and your data? 

1. Separate the data for easier management - one database for each of the following as a suggestion:
   • Current customers
   • Ex customers
   • Suppliers
   • Prospects
   • Archive
   • Blacklist
2. Keep a master database, with ID codes (eg CC for current customers) so you can find the details of the record if you need them
3. Restrict Access - makes sure that the correct people are able to view the details
4. Keep data up to date. We would recommend a free data audit and then automated processing as the simplest and most cost effective method.
   Suggestion would be to carry this out process once every six months, but the Act makes no specific demands in this respect (see principle 4)
5. Following each data audit and processing, keep a copy of the master database off site, and if you wish the segmented databases. This is a simple process to build into your Disaster Recovery Policy.
6. Make sure that you build an archive, so that any data can be traced with any notes that you have attached. For example, if a company is no longer trading, you will not wish to keep contacting them, so simply archive the details (see principle 5).

If you need any further help and advice, please contact us.