Reading Time | 2 mins

Firms regularly breaking the rules on data protection

Share this article

Almost one out of five firms have at some point unknowingly breached the Data Protection Act, according to new research.

The study, carried out by BSI, the standards organisation, found that of those businesses a half have broken the rules on several occasions.

Some 18 per cent said that they were uncertain whether they had overstepped the law or not.

A breach could involve, among other things, illegally transferring information to a third party or failing to hold details securely.

Of the 500 SMEs that responded to the poll, 65 per cent admitted they do not train staff in data protection, and almost a half do not have an employee charged with making sure that law is complied with even though the regulations require that all organisations handling personal information must have an assigned data controller.

Some 15 per cent were not certain that their policies on data storage actually conform to the Data Protection Act, while 5 per cent share their data anyway.

A further fifth (18 per cent) claimed that data protection had become less urgent during the recession.

Mike Low, director of standards at BSI, said: “The five million small and medium-sized businesses in the UK form the backbone of the British economy. These organisations are handling vast amounts of personal information on a daily basis and, while it is encouraging that some already have appropriate data protection measures in place, this survey shows there is still a long way to go.”

The BSI has launched a new British standard (BS10012) for data protection to help firms comply with the law.

The BSI said that the standard provides a framework for the management of personal information and that it can be used by firms of any size and sector to help them deal with training and awareness, risk assessment, data sharing, the retention and disposal of data and disclosure to third parties.

Mike Low added: “A third of businesses we surveyed stated that the complexity of the legislation restricts their compliance with the Data Protection Act. BS10012 addresses this and many other issues.”

Gordon Wanless, chairman of the Data Protection Forum, commented: “The BSI survey backs up what we have known for some time – many organisations find the legislation in this area complex. The standard can help organisations put in place measures that will lead to compliance and demonstrate they are handling personal information responsibly.”