Last March the Data Protection Act 1998 belatedly came into force. It imposed restrictions on the way companies can handle personal information, including data used online for e-commerce.
In the months that followed, companies struggled to get to grips with the fine print of the act, and began to implement strategies that they thought would keep them within the letter of the law. However, many firms are continuing to breach the act unwittingly, though they have so far enjoyed a period of legal immunity.
Initially, the Information Commission, formerly the Data Protection Commission, introduced a period of grace for companies working on unmodified databases compiled before the new act. This period will expire on 24 October this year, after which companies in breach of the act will be liable to prosecution.
The Data Protection Act requires that individuals' consent is required for organisations to use their personal data. It gives individuals the right to opt out of direct marketing and stipulates that they must be informed about who is using their data and for what purposes.
Meanwhile, the EU E-commerce Directive adds further responsibilities for firms operating online. It stipulates that certain information must be provided on corporate Web sites and in any unsolicited communications. Rupert Battcock, an intellectual property lawyer at law firm Nabarro Nathanson, said this must be accounted for early in the creative process. 'If you are putting together a transactional Web site, you must consider the requirements for providing information and obtaining consents to use data, and you should do this at an early stage when the design brief is put together,' he said.
The EU directive also calls on companies sending unsolicited emails to individuals to consult relevant opt-out registers. And a new directive is being finalised about the sending of unsolicited emails to businesses.
The penalties of non-compliance are likely to grow, as the UK Information Commission is set to get tough on offenders. The act allows for unlimited fines, although a typical fine is about £3,000.
However, Battcock said the risks are not just financial. 'There are also the very real risks of damage to reputation, and risks to commercial ventures. A joint venture partner considering a deal with a company heavily dependent on the use of consumer data may be inclined to call the deal off if it is not happy that data protection regulations have been complied with,' he said.
A subject that still causes much confusion is the transfer of data to countries outside the EU. Under the act, UK companies are only allowed to transfer data outside the EU if the recipient is governed by regulations that are equal to European standards. A safe harbour scheme set up with the US in November was designed to help companies meet this obligation but has attracted only 12 US firms.
The Direct Marketing Association advises that companies should act now to protect themselves from future prosecution. Jo Whyte, the association's director of legal affairs, said: 'To avoid any problems, companies should draw up contracts with third-parties outside the EU to ensure that data is looked after in line with European regulations.' A model contract offering further guidance is still being finalised by the Information Commission.
Firms remain responsible for the data they have collected, even after it has been passed to third parties, said Whyte, so they should draw up contracts which stipulate how their data can be used.
The consequences of bad practice are becoming more serious. Firms requiring more advice should consult a lawyer or they might refer to the DMA's Guide to the Data Protection Act, which costs £75 for members and £150 for non-members, and is available via the email address below.
