Every company holds onto personal information of some sort, about its staff, customers, business contacts and others. Make sure your company abides by its data protection obligations.
The retention and processing of personal information is governed by the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Our summary sets out the conditions that all companies must fulfil in order to be able to keep and use personal information, whether it concerns staff, customers, suppliers, business contacts or others.
The Information Commissioner’s Office (ICO) enforces these obligations, and can prosecute companies and individuals for breaching the legislation. It also has the power to carry out audits and can serve improvement or remedial notices and impose fines where breaches are discovered. The ICO’s website contains information and guidance on compliance with data protection law (https://ico.org.uk/).
Individuals can request access to the personal information held about them. If your company receives such a request, the individual is entitled to:
If your company receives a data subject access request, it needs to respond within one month (this can be extended for up to three months, if the request is particularly complex).