Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Checklist for compliance with the Data Protection Act 1998

This checklist is based on UK law. It was last updated in February 2008. This checklist is intended as an aide memoire for those who already understand the basics of data protection. It is not an...

This checklist is based on UK law. It was last updated in February 2008.

This checklist is intended as an aide memoire for those who already understand the basics of data protection. It is not an exhaustive list.

  1. Appoint a data protection officer or someone with compliance responsibility.
  2. Ensure that the company is registered with the Information Commissioner if required and maintain those registration.  Remember that separate members of your group will need separate registrations if they are also data controllers.
  3. Identify all collection points of data, e.g. websites, application forms, in-bound and out-bound telephone calls, emails, SMS, faxes, CCTV, employment application forms, attendance at events or functions or exchanges of business cards.
  4. Identify what data are collected and whether directly from the data subject or via a third party.
  5. Identify all purposes for processing, all internal and external access and all disclosures of data.
  6. Identify all marketing activities and make sure the Privacy and Electronic Communications Regulations are complied with.
  7. Draft and put in place an appropriate Data Protection Notice in each collection process setting out all purposes for processing and all disclosures.
  8. Consider how you will provide a Data Protection Notice to individuals where you obtain their information via a third party.
  9. Train all staff who come into contact with personal data. Employees attract personal criminal liability for an unauthorised disclosure of personal data or unauthorised obtaining.
  10. Train staff to recognise subject access requests from data subjects.
  11. Train managers who make decisions about databases.
  12. Ensure that Data Protection Notices are provided to all employees containing an explicit consent statement to the processing of their sensitive personal data. Consider what else employees need to be told.
  13. Identify any automated decision making processing and put a review or appeal procedure in place for any customer or employee who is turned down by any automated decision software, for example, psychometric testing or credit scoring.
  14. Identify the grounds under Schedule 2  (and the grounds under Schedule 3  for sensitive personal data) which give legitimacy to processing, e.g. consent, explicit consent, contract or legitimate interest.
  15. If the ground is consent, ensure that your Data Protection Notices include Consent Statements and provoke a positive response from customers and business contacts.
  16. Identify all third party data processors used by the company. Ensure that data processor contracts are in place.
  17. Identify all transfers of personal data to EU countries and to third countries. Put appropriate contracts or other compliance methods in place.
  18. Ensure that IT systems provide adequate security.
  19. Identify all manual files and decide whether they fall within the definition in the Act.
  20. Review security of processing in the light of ISO17799 – physical, logical, technical and operational measures to ensure the security of processing.
  21. Review procedures for ensuring quality of data – how often are data reviewed for accuracy?
  22. Put in place processes and procedures to identify and satisfy subject access requests.
  23. Review internet and e-mail policies and CCTV policies to make sure they comply with the Data Protection Act 1998, the Regulation of Investigatory Powers Act 2000 and the Information Commissioner's Guidance.
  24. Put in place processes to deal with requests for disclosure by the Police, Inland Revenue or other Government departments.
  25. Review employment contracts, disciplinary procedures and guidance issued to employees.
  26. Put a data protection help site and help line on the intranet.

Contacts

Join My Out-Law

  • See only the content that matters to you
  • Tailor Out-Law to your exact needs
  • Save the most useful content for later reading
  • Tailor our weekly eNewsletter to your interests

Join My Out-Law

Already signed up to My Out-Law? Sign in

Expertise in Confidential Information

Ideas, techniques and know-how can lie at the heart of a business. Pinsent Masons' international intellectual property team is dedicated to helping you to protect those intangible valuables that help you to stand out from your competitors.

More about Confidential Information