While going through my research on what insurances, policies and laws I must adhere to prior to going into business the issue of the data protection act sprung to mind.

Now I understand some of you may not have electronic copies of customers details but my intention is to start a customer database from day one and also manage an active quarterly email detailing my upcoming offers/packages. To do so I will have to store electronic records records of customers details and of course give them notification I am doing so and in the case of the emails an option to opt in/out.

So that leaves to me to ask the question is this common place for everyone present to pay the below £35 to the ICO? By no means am I looking for a way to circumvent this I am merely interested to see who is also complying and if this is necessary.

As taken from the ICO website


Notification to process personal data (All UK)

You must notify the Information Commissioner's Office (ICO) if your business processes personal data in an automated form.

'Personal data' means data which relates to a living person who can be identified from that data. It includes employment details, client information and information captured on CCTV.

If you do process personal data, your business is a 'data controller' for the purposes of the Data Protection Act 1998.

Most businesses must notify the ICO unless they only process personal data for the following purposes:

staff administration (including payroll)
advertising, marketing and public relations for their own business
accounts and records
judicial functions
personal, family or household affairs (including recreational purposes)
The following are also exempt from the requirement to register:

some not-for-profit organisations
data controllers who only process personal data for the maintenance of a public register
data controllers who do not process personal data on computer
To check whether you are exempt, use our self assessment tool - the link to this is displayed on the right-hand side of this page.

You should always check with the ICO if you are unsure whether you are exempt from notification.

You can notify the ICO by:

filling in an online notification form, printing it out and sending it to the ICO
completing a notification form request and posting it to the ICO
ringing the ICO's notification helpline and requesting a notification form
You need to fill in details of your business and a general description of the processing of personal information being carried out by the data controller.

A notification fee of £500 applies to data controllers with either:

a turnover of £25.9M and 250 or more members of staff
if they are a public authority with 250 or more members of staff.
All other data controllers - including registered charities and small occupational pension schemes (regardless of their size and turnover - must pay £35 per year unless they are exempt.

Once you have successfully notified the ICO, the details of your business will be entered on the register of data controllers.

You need to renew your registration each year. If you fail to do so you are committing a criminal offence and could be faced with an unlimited fine. The ICO will write to you before the expiry date and explain the process for renewing your entry on the register.

While going through my research on what insurances, policies and laws I must adhere to prior to going into business the issue of the data protection act sprung to mind.

Now I understand some of you may not have electronic copies of customers details but my intention is to start a customer database from day one and also manage an active quarterly email detailing my upcoming offers/packages. To do so I will have to store electronic records records of customers details and of course give them notification I am doing so and in the case of the emails an option to opt in/out.

So that leaves to me to ask the question is this common place for everyone present to pay the below £35 to the ICO? By no means am I looking for a way to circumvent this I am merely interested to see who is also complying and if this is necessary.

As taken from the ICO website


Notification to process personal data (All UK)

You must notify the Information Commissioner's Office (ICO) if your business processes personal data in an automated form.

'Personal data' means data which relates to a living person who can be identified from that data. It includes employment details, client information and information captured on CCTV.

If you do process personal data, your business is a 'data controller' for the purposes of the Data Protection Act 1998.

Most businesses must notify the ICO unless they only process personal data for the following purposes:

staff administration (including payroll)
advertising, marketing and public relations for their own business
accounts and records
judicial functions
personal, family or household affairs (including recreational purposes)
The following are also exempt from the requirement to register:

some not-for-profit organisations
data controllers who only process personal data for the maintenance of a public register
data controllers who do not process personal data on computer
To check whether you are exempt, use our self assessment tool - the link to this is displayed on the right-hand side of this page.

You should always check with the ICO if you are unsure whether you are exempt from notification.

You can notify the ICO by:

filling in an online notification form, printing it out and sending it to the ICO
completing a notification form request and posting it to the ICO
ringing the ICO's notification helpline and requesting a notification form
You need to fill in details of your business and a general description of the processing of personal information being carried out by the data controller.

A notification fee of £500 applies to data controllers with either:

a turnover of £25.9M and 250 or more members of staff
if they are a public authority with 250 or more members of staff.
All other data controllers - including registered charities and small occupational pension schemes (regardless of their size and turnover - must pay £35 per year unless they are exempt.

Once you have successfully notified the ICO, the details of your business will be entered on the register of data controllers.

You need to renew your registration each year. If you fail to do so you are committing a criminal offence and could be faced with an unlimited fine. The ICO will write to you before the expiry date and explain the process for renewing your entry on the register.

Potential minefield alert!!! :eek:

Not really. The vast majority of DJ businesses will fall under the section I've marked in red and, therefore, do not need to register with the ICO as they are exempt.

What are you intending to do with the data you hold which would mean you would need to register as a Data Controller with the ICO? There is only certain data held, and planned uses for that data, that means you need to register. Maintaining a mailing list or database of customer details for a marketing campaign is not one of them. You do, however, as you have rightly pointed out, need to comply with The Privacy And Electronic Communciations Regulations details of which can be found here:

http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1073792163&type=RESOURCES

I agree, ICO is a minefield... just putting ICO a side at the moment... but still on topic in the lines of Data Protectection & Security

Basic information that I assume that we hold on our customers are:

Name
Address
Contact Tel/Email

If you do hold extra information like birthdate, mothers maiden name, payment information etc; cannot understand why any DJ business would hold this information; however, if you do then you would need to consider protecting your customer data, also do not forget to protect your own data.

How many of you have a secure PC/Network...? (Sorry, a password to your Windows does not count, could hack in few minutes with a USB data storage device with an exploit)

For example, all machines (expect for my DJing Laptop as do not contain any personal/customer data) hard drives/storage devices are fully encrypted to no less than AES-256bit, with no less than a 20 character password.

USB data storage devices are easy to store information, but also easy to lose.

If you thinking overkill, I have to disagree as my data is more valuable to me than machine/device it is stored on it. Data theft is on increase and if you say it does not affect you then you become a target.

My home network is protect by watchguard Firewall unit (brought off ebay for £40). This puts an extra layer of protect betwen the internet and my machines/devices and allows me to control what data is sent and received to and from the internet.

If you sell your old machine/device, how do you remove the data stored? Doing a simple format or deleting your files is no good and data is receoverable.

There are so many tools to recover data even after a format; this applies to USB data storage devices as well. Recommendation is don't sell machine with the hard drive, if you do make sure you do a 7 Pass Format and Zeroed. There are plenty of tools out there for Free which can does this for..

How many people have password on their mobile phone? If you ever lost a phone you know that is pain that is..

However with phone, like iPhone/Blackberry can hold vast amounts of data and this makes it a risk. I have an iPhone and have complex password with automatic data wipe if incorrect entered 10 times.. Blackberries are better as do encrypt to AES-256 standard, but a Blackberry is too annoying for me.

Social Engineering is a great source of information for prying eyes.. Facebook/Twitter etc... Is a great for people to gain information to find about the person. Always vet what information you posted about yourself including the information that people post about. Simple innoncent post on facebook by a friend is valuable information for other people to use..

However, if I have left your feeling worried.. Just follow the below rules for 100% data security protection

1. Don't buy a PC/Data stroage device
2. If you do, don't switch it or plug-in your stroage device into anything.

Source of information: Commerical Experience as IT Consultant working within Government & Financial Organisations.

Basic information that I assume that we hold on our customers are:

Name
Address
Contact Tel/Email

This pretty much covers the information I plan on holding and agree on the security issue which again is something that was drilled into me when working for a large bank (who used to lose laptops all the time, full of customer details). An encryption of the database with password protection in a 256 bit key or 512 key with a password protected laptop landing screen that expires every 30 days is more than enough to satisfy the ICO I think.


What are you intending to do with the data you hold which would mean you would need to register as a Data Controller with the ICO? There is only certain data held, and planned uses for that data, that means you need to register. Maintaining a mailing list or database of customer details for a marketing campaign is not one of them.

My intention was part mailing list/marketing list, my initials thoughts were also to maintain a customer list with the above information however on further thought this may be more of a thorn in my side. It's a case of weighing the advantages and disadvantages to be able to come to an informed decision.

On a note for anyone reading through the same website DazzyD mentions also has some great and very concise info on what you can and cant do with email marketing lists along with text message marketing systems. This can be found here (http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1073792164&r.i=1073792163&r.l1=1073861169&r.l2=1087428702&r.l3=1074002278&r.t=RESOURCES&type=RESOURCES)

This pretty much covers the information I plan on holding and agree on the security issue which again is something that was drilled into me when working for a large bank (who used to lose laptops all the time, full of customer details). An encryption of the database with password protection in a 256 bit key or 512 key with a password protected laptop landing screen that expires every 30 days is more than enough to satisfy the ICO I think.
...

What you need to remember is that banks are very different businesses to your average mobile DJ business. They are bound by law to keep information on their systems for reporting and fraud prevention purposes. We are not. Therefore, the two cannot be compared like for like when discussing the role of a Data Controller in terms of the ICO.

When I said that this was a "potential minefield" I was joking. It's quite simple, really, but it needs a working knowledge of the Data Protection Act and all it's revisions to be totally clear on the matter. However, Gazza's ICO quote in the OP made it quite clear that the purposes for which we would collate personal data would mean we would be exempt from ICO registration, therefore, it doesn't affect us at all. People have a perception of what rights the DPA affords them but, in practice, this perception is often far from the truth. They hear the term "Data Protection" and just assume that all data held about them is automatically protected but this is simply not the case.

This was mentioned to me when i opened a business account they were using it to try and justify trying to sell me £17 a months worth of software which amongst things would encrypt all my emails as well as backing them up it also backs up music (no Limit) and photographs im still deciding if im going to be using it.