INTRODUCTION
A person or organization addressing data protection compliance for the very first time can be forgiven for thinking that they are facing an impossibly daunting task and a common initial comment is ‘I do not know where to start’. Of course, the only logical response is ‘start at the beginning’ and this means working out first of all whether or not the DPA applies. As discussed in Chapter 1 the key considerations are:
Is the data controller established in the UK or, if not, is the data controller established outside the EEA?
Is the data controller processing data in the context of its UK establishment or, if established outside the EEA, is the data controller using processing equipment in the UK other than merely for the purpose of transiting data through the UK?
Are the data that are processed personal data?
Does an exemption apply?
If the DPA does apply, the data controller will need to prioritize matters within its compliance strategy, to ensure that the most serious matters are dealt with first. This means carrying out an assessment of risk with the data controller trying to determine, as accurately as possible:
the nature of the risks to which they or their organization are exposed;
the probability of the risks turning into realities;
the consequences if the risks do indeed turn into realities;
the actions to be taken to prevent the risks turning into realities.
Many data controllers, particularly those in the private sector, need to be persuaded that compliance with the DPA is worth the effort, which may or may not be an odd state of affairs given that compliance is required as a matter of law. Thus, many commentators, including the Information Commissioner, have pointed to other factors that they hope will encourage errant data controllers to take their responsibilities seriously. Arguments that have been advanced in the name of encouraging compliance include the following:
Reputation: The reputation argument says that the errant data controller’s good reputation will be damaged by its failure to comply with the DPA. Data subjects who are clients and customers will eventually turn their backs on these data controllers. Potential clients and customers will not want to deal with data controllers with bad reputations. Nor will other data controllers.
Reduction of risk: The reduction of risk argument says that DPA compliance will also bring the data controller into compliance with other laws and regulations, thereby reducing the overall level of risk within the organization. This is because DPA compliance requires the data controller to examine its entire range of operations, a process that can reveal the presence of concealed ‘smoking guns’, such as evidence of discrimination or harassment within the workplace. DPA compliance also overlaps with other regulatory frameworks, for instance money laundering, so there are incidental benefits.
Efficiency: The efficiency argument says that DPA compliance will make the data controller’s operations generally more efficient. It is now being appreciated that there is substantial strength in this argument. For instance, the inevitable proliferation of electronic data in a non-compliant organization leads to higher data storage and management costs and lengthens data search and retrieval times. The financial cost of long-term storage of data is a real problem for businesses and public authorities.
All of these justifications for compliance have substantial merit, but the focus of this chapter is the core compliance challenges presented by the DPA.