It is important to be aware of the data protection laws that may affect the running of your business and to be kept fully up to date.
Handling personal data
Any data which can be used to identify an individual is ‘personal data’. Your new company will undoubtedly handle personal data (such as customer and supplier databases and employee records) and therefore must make a notification to the Information Commissioner about their data processing activities as a Data Controller. Certain exceptions do apply for very small companies who only process for very limited purposes but it is very easy to fall outside of these so we recommend notification as it is cheap and failure to do so is a criminal offence.
How data is processed
A Data Controller has responsibility for the way in which data is processed and is defined as any organisation or individual who is responsible for determining how and why personal data is processed. A Data Controller has a legal obligation to protect the data and process it fairly and lawfully.
Where a Data Controller appoints a supplier to carry out processing and the supplier does nothing with the data on its own initiative, the supplier will be a Data Processor rather than Data Controller. A Data Processor has no direct obligations under the legislation, but the Data Controller must ensure it has a written contract with the Data Processor to ensure that the Data Processor complies with instructions of the Data Controller and certain other aspects of the legislation.
Transfer of data
Transfer of personal data outside the EEA (even for intra-company transfers) is, subject to certain exceptions, prohibited unless the data subject has consented or an approved transfer mechanism is used. Data Controllers should, therefore, be mindful of where they host the personal data.
Change in data protection laws
You should also be aware that Data protection laws in Europe are currently undergoing major reform. Europe’s Data Protection Directive (which is the European legislation that national data protection laws, including the Data Protection Act 1998, are derived from) is to be replaced with a new Data Protection Regulation. Compliance will become harder in Europe and consequences of non-compliance riskier – with the potential of fines of up to 2% of global annual turnover. If you would like advice on getting ready for the new Data Protection Regulations and data protection act, its fully updated to 2017.
In light of the above, you should, therefore, consider taking advice in the early stages of creating your company with regards to:
- the need to make a notification to the information commissioners;
- establishing policies and procedures to protect data correctly;
- ensuring that contracts with suppliers contain, at a minimum, the clauses required by the legislation; and
- complying with the rules regarding transferring data outside the EEA.