Consultancy: Compliance with the UK Data Protection Act 1998
The Data Protection Act 1998 (DPA) states that all organisations that hold or process personal data MUST comply with DPA requirements. From April 2010, the powers of the Information Commissioner, the regulator for the DPA, were significantly strengthened. As a result, any organisation found to be in breach can be fined up to £500,000; although for some, even a severe fine can be a relatively small amount compared to reputational damage that results from negative press coverage of the incident.
Schedule 1 of the Act sets out eight principles for that organisations must comply with to ensures personal data is treated:
-
fairly and lawfully
-
with specific and specified purposes
-
is adequate, relevant and not excessive
-
is accurate and up to date
-
is not retained for longer than necessary
-
is processed in accordance with individuals rights
-
is held with appropriate levels of security
-
is not transferred abroad without ensuring of adequate levels of legal protection.
Please email us or telephone 0845 070 1750 for more on how we can help you achieve DPA compliance cheaply, quickly and painlessly.
IT Governance DPA services:
-
Gap Analysis
-
Assistance to notify with the information commissioner (a legal requirement)
-
In-house training
-
Certified training courses for Data Protection Officers
-
Public training courses
-
Toolkits and documentation
-
Help achieving the creation of a BS 10012 compliant PIMS (Personal Information Management System)
-
Help achieving ISO27001 compliance and improvements to information security
-
Help achieving ISO22301 and improvements to business continuity
DPA Compliance Gap Analysis
You can achieve DPA compliance by using our books and/or you can use our efficient DPA consultancy service to assess your current level of compliance with DPA, identify any gaps, create and then implement a remedial plan, and keep yourself compliant thereafter.
Our experienced data protection consultants can assess exactly where your current security practices, legal situation and operating procedures are in terms of DPA compliance. This includes direct marketing practices, fair processing notices, and retention and deletion procedures. This can identify the steps that you will need to take to bring your business into full compliance with the DPA.
Our service will tell you what you need to know, quickly and effectively, and if you need our help to achieve DPA compliance, we can assist with remediation.
Notification Assistance
Organisations which process personal data must complete a notification with the Information Commissioner. This notification includes:
-
What personal data is processed,
-
The purposes for which it is processed, and
-
Where it is obtained and to whom it is disclosed.
It is critical that this notification is completed and kept up to date and accurate.
Training
We offer a range of training courses surrounding the Data Protection Act to suit various organisational needs.
Our public course is a one day introduction to Data Protection Act compliance, which offers advice and an understanding of the requirements from an experienced data protection practitioner, who is experienced in applying the principles to real life situations. In-house training courses may be more cost effective if you have a number of staff who wish to understand the requirements, and at IT Governance we are experienced providers of customised staff awareness courses.
If you are a data protection officer / practitioner yourself, you may want a formal qualification and an advanced level of knowledge to best advise your organisation. IT Governance offers the BCS ISEB in Data Protection, a five day practical course with a written examination to demonstrates an advanced level of knowledge and ability.
Email us or call us on +44 (0) 845 070 1750 for more information on any of these courses.
BS10012 – A Personal Information Management System
Sometimes the problem with data protection compliance is that management have no way of being continually assured that the organisation is in compliance. BS 10012 looks at a Personal Information Management System or PIMS.
The standard sets out a series of requirements for the establishment of a series of policies, procedures, training, audits, management meetings and measurements that focus on data protection though a ‘plan-do-check-act’ cycle.
This ensures that organisationally the management team have visibility and assurance that appropriate compliance measures are planned and undertaken, and have a much greater visibility of any issues that arise, ensuring that continual improvement in this area is established and maintained on an ongoing basis.
Establishing a PIMS as part of your overall business management system will ensure that data protection management is placed within a robust framework looked upon favourably by the regulator.
Email us or call us on +44 (0) 845 070 1750 to find out how IT Governance can help you to implement a Personal Information Management System.
Information Security and Business Continuity
Principle 7 of the Data Protection Act looks at ensuring that personal data is held with ‘appropriate technical and organisational security’ and is protected against ‘unauthorised disclosure, loss of damage’.
To ensure this, it is critical that you have appropriate information security and business continuity measures in place. This can involve certification to international and national standards such as ISO 27001 and ISO22301 which prove to stakeholders that you have the correct approach in these areas, certified by the Information Commissioner.
Please email us or telephone 0845 070 1750 and talk to us about how we can help you achieve DPA compliance quickly and painlessly.