Menu

Data protection compliance - the basics

‘Data protection’ is about handling information about  people, such as customers, clients and employees, in a way that is open, transparent, secure and fit for the digital era.  Meeting their expectations will enhance the level of trust and confidence they have in an organisation and good information governance may save both time and money.

Fundamental definitions

Who must comply?

All controllers must comply with the law - it does not matter how big or small the controller is, what the controller does, or how many staff, customers or clients, etc. it has. 

(Processors have particular obligations under the new law which are not covered on this page.  Find out more) 

How to comply

In order to comply with the law, controllers must understand and demonstrate:

In summary, this is known as ‘complying with the principles’

Controllers are accountable for and must be able to demonstrate, compliance.  Some form of record showing how they comply should be kept and reviewed and updated as necessary.   There is no standard format but the record should be understandable to the controller and as simple or complex as needed.

Such a record will also help controllers comply with their other obligations including complying with the rights of individuals, such as the right of access, the right to erasure and the right to object.

Transparency (fair processing notices)

Individuals have a right to be given information about the use of their personal data and most of the information required for fair processing notices can be found in the details the controller has recorded about the processing being undertaken.

Controllers must give this information to individuals in clear, concise and plain language and it must contain details of their rights, including the right to complain to the Commissioner.

Registration

Registration is a component of compliance and controllers must register if:

Examples of where registration is required include:

The controller, having established the purposes for processing personal data, will know whether registration is required.  In most cases controllers will need to register and a fee is usually payable.