Our website is made possible by displaying online advertisements to our visitors.
Please consider supporting us by disabling your ad blocker.
Results 1 to 6 of 6

Thread: Information Commission - Customer Data storage

  1. #1
    Gazza75's Avatar
    Join Date
    Sep 2012
    Location
    Central Scotland
    Age
    33
    Posts
    42

    Default Information Commission - Customer Data storage

    While going through my research on what insurances, policies and laws I must adhere to prior to going into business the issue of the data protection act sprung to mind.

    Now I understand some of you may not have electronic copies of customers details but my intention is to start a customer database from day one and also manage an active quarterly email detailing my upcoming offers/packages. To do so I will have to store electronic records records of customers details and of course give them notification I am doing so and in the case of the emails an option to opt in/out.

    So that leaves to me to ask the question is this common place for everyone present to pay the below 35 to the ICO? By no means am I looking for a way to circumvent this I am merely interested to see who is also complying and if this is necessary.

    As taken from the ICO website

    Notification to process personal data (All UK)

    You must notify the Information Commissioner's Office (ICO) if your business processes personal data in an automated form.

    'Personal data' means data which relates to a living person who can be identified from that data. It includes employment details, client information and information captured on CCTV.

    If you do process personal data, your business is a 'data controller' for the purposes of the Data Protection Act 1998.

    Most businesses must notify the ICO unless they only process personal data for the following purposes:

    staff administration (including payroll)
    advertising, marketing and public relations for their own business
    accounts and records
    judicial functions
    personal, family or household affairs (including recreational purposes)
    The following are also exempt from the requirement to register:

    some not-for-profit organisations
    data controllers who only process personal data for the maintenance of a public register
    data controllers who do not process personal data on computer
    To check whether you are exempt, use our self assessment tool - the link to this is displayed on the right-hand side of this page.

    You should always check with the ICO if you are unsure whether you are exempt from notification.

    You can notify the ICO by:

    filling in an online notification form, printing it out and sending it to the ICO
    completing a notification form request and posting it to the ICO
    ringing the ICO's notification helpline and requesting a notification form
    You need to fill in details of your business and a general description of the processing of personal information being carried out by the data controller.

    A notification fee of 500 applies to data controllers with either:

    a turnover of 25.9M and 250 or more members of staff
    if they are a public authority with 250 or more members of staff.
    All other data controllers - including registered charities and small occupational pension schemes (regardless of their size and turnover - must pay 35 per year unless they are exempt.

    Once you have successfully notified the ICO, the details of your business will be entered on the register of data controllers.

    You need to renew your registration each year. If you fail to do so you are committing a criminal offence and could be faced with an unlimited fine. The ICO will write to you before the expiry date and explain the process for renewing your entry on the register.

  2. #2
    King Of Cheese Moderator DazzyD's Avatar
    Join Date
    Feb 2008
    Location
    Between Sunderland & Durham
    Age
    46
    Posts
    5,064

    Default

    Quote Originally Posted by Gazza75 View Post
    While going through my research on what insurances, policies and laws I must adhere to prior to going into business the issue of the data protection act sprung to mind.

    Now I understand some of you may not have electronic copies of customers details but my intention is to start a customer database from day one and also manage an active quarterly email detailing my upcoming offers/packages. To do so I will have to store electronic records records of customers details and of course give them notification I am doing so and in the case of the emails an option to opt in/out.

    So that leaves to me to ask the question is this common place for everyone present to pay the below 35 to the ICO? By no means am I looking for a way to circumvent this I am merely interested to see who is also complying and if this is necessary.

    As taken from the ICO website
    Notification to process personal data (All UK)

    You must notify the Information Commissioner's Office (ICO) if your business processes personal data in an automated form.

    'Personal data' means data which relates to a living person who can be identified from that data. It includes employment details, client information and information captured on CCTV.

    If you do process personal data, your business is a 'data controller' for the purposes of the Data Protection Act 1998.

    Most businesses must notify the ICO unless they only process personal data for the following purposes:

    staff administration (including payroll)
    advertising, marketing and public relations for their own business
    accounts and records

    judicial functions
    personal, family or household affairs (including recreational purposes)
    The following are also exempt from the requirement to register:

    some not-for-profit organisations
    data controllers who only process personal data for the maintenance of a public register
    data controllers who do not process personal data on computer
    To check whether you are exempt, use our self assessment tool - the link to this is displayed on the right-hand side of this page.

    You should always check with the ICO if you are unsure whether you are exempt from notification.

    You can notify the ICO by:

    filling in an online notification form, printing it out and sending it to the ICO
    completing a notification form request and posting it to the ICO
    ringing the ICO's notification helpline and requesting a notification form
    You need to fill in details of your business and a general description of the processing of personal information being carried out by the data controller.

    A notification fee of 500 applies to data controllers with either:

    a turnover of 25.9M and 250 or more members of staff
    if they are a public authority with 250 or more members of staff.
    All other data controllers - including registered charities and small occupational pension schemes (regardless of their size and turnover - must pay 35 per year unless they are exempt.

    Once you have successfully notified the ICO, the details of your business will be entered on the register of data controllers.

    You need to renew your registration each year. If you fail to do so you are committing a criminal offence and could be faced with an unlimited fine. The ICO will write to you before the expiry date and explain the process for renewing your entry on the register.
    Potential minefield alert!!!

    Not really. The vast majority of DJ businesses will fall under the section I've marked in red and, therefore, do not need to register with the ICO as they are exempt.

    What are you intending to do with the data you hold which would mean you would need to register as a Data Controller with the ICO? There is only certain data held, and planned uses for that data, that means you need to register. Maintaining a mailing list or database of customer details for a marketing campaign is not one of them. You do, however, as you have rightly pointed out, need to comply with The Privacy And Electronic Communciations Regulations details of which can be found here:

    http://www.businesslink.gov.uk/bdotg...type=RESOURCES
    Last edited by DazzyD; 17-09-2012 at 12:00 AM.
    Dazzy D
    Lightning Disco & Entertainment

    Born to make you party!

  3. #3
    DiscoPromotions's Avatar
    Join Date
    Nov 2008
    Location
    West Midlands
    Age
    42
    Posts
    632

    Default How do you protect your customer data?

    I agree, ICO is a minefield... just putting ICO a side at the moment... but still on topic in the lines of Data Protectection & Security

    Basic information that I assume that we hold on our customers are:

    Name
    Address
    Contact Tel/Email

    If you do hold extra information like birthdate, mothers maiden name, payment information etc; cannot understand why any DJ business would hold this information; however, if you do then you would need to consider protecting your customer data, also do not forget to protect your own data.

    How many of you have a secure PC/Network...? (Sorry, a password to your Windows does not count, could hack in few minutes with a USB data storage device with an exploit)

    For example, all machines (expect for my DJing Laptop as do not contain any personal/customer data) hard drives/storage devices are fully encrypted to no less than AES-256bit, with no less than a 20 character password.

    USB data storage devices are easy to store information, but also easy to lose.

    If you thinking overkill, I have to disagree as my data is more valuable to me than machine/device it is stored on it. Data theft is on increase and if you say it does not affect you then you become a target.

    My home network is protect by watchguard Firewall unit (brought off ebay for 40). This puts an extra layer of protect betwen the internet and my machines/devices and allows me to control what data is sent and received to and from the internet.

    If you sell your old machine/device, how do you remove the data stored? Doing a simple format or deleting your files is no good and data is receoverable.

    There are so many tools to recover data even after a format; this applies to USB data storage devices as well. Recommendation is don't sell machine with the hard drive, if you do make sure you do a 7 Pass Format and Zeroed. There are plenty of tools out there for Free which can does this for..

    How many people have password on their mobile phone? If you ever lost a phone you know that is pain that is..

    However with phone, like iPhone/Blackberry can hold vast amounts of data and this makes it a risk. I have an iPhone and have complex password with automatic data wipe if incorrect entered 10 times.. Blackberries are better as do encrypt to AES-256 standard, but a Blackberry is too annoying for me.

    Social Engineering is a great source of information for prying eyes.. Facebook/Twitter etc... Is a great for people to gain information to find about the person. Always vet what information you posted about yourself including the information that people post about. Simple innoncent post on facebook by a friend is valuable information for other people to use..

    However, if I have left your feeling worried.. Just follow the below rules for 100% data security protection

    1. Don't buy a PC/Data stroage device
    2. If you do, don't switch it or plug-in your stroage device into anything.

    Source of information: Commerical Experience as IT Consultant working within Government & Financial Organisations.
    Jay Price - Disco Promotions Ltd - Making Every Event Count



    Areas: West Midlands & Warwickshire

  4. #4
    Gazza75's Avatar
    Join Date
    Sep 2012
    Location
    Central Scotland
    Age
    33
    Posts
    42

    Default

    Quote Originally Posted by DiscoPromotions View Post
    Basic information that I assume that we hold on our customers are:

    Name
    Address
    Contact Tel/Email
    This pretty much covers the information I plan on holding and agree on the security issue which again is something that was drilled into me when working for a large bank (who used to lose laptops all the time, full of customer details). An encryption of the database with password protection in a 256 bit key or 512 key with a password protected laptop landing screen that expires every 30 days is more than enough to satisfy the ICO I think.

    Quote Originally Posted by DazzyD
    What are you intending to do with the data you hold which would mean you would need to register as a Data Controller with the ICO? There is only certain data held, and planned uses for that data, that means you need to register. Maintaining a mailing list or database of customer details for a marketing campaign is not one of them.
    My intention was part mailing list/marketing list, my initials thoughts were also to maintain a customer list with the above information however on further thought this may be more of a thorn in my side. It's a case of weighing the advantages and disadvantages to be able to come to an informed decision.

    On a note for anyone reading through the same website DazzyD mentions also has some great and very concise info on what you can and cant do with email marketing lists along with text message marketing systems. This can be found here

  5. #5
    King Of Cheese Moderator DazzyD's Avatar
    Join Date
    Feb 2008
    Location
    Between Sunderland & Durham
    Age
    46
    Posts
    5,064

    Default

    Quote Originally Posted by Gazza75 View Post
    This pretty much covers the information I plan on holding and agree on the security issue which again is something that was drilled into me when working for a large bank (who used to lose laptops all the time, full of customer details). An encryption of the database with password protection in a 256 bit key or 512 key with a password protected laptop landing screen that expires every 30 days is more than enough to satisfy the ICO I think.
    ...
    What you need to remember is that banks are very different businesses to your average mobile DJ business. They are bound by law to keep information on their systems for reporting and fraud prevention purposes. We are not. Therefore, the two cannot be compared like for like when discussing the role of a Data Controller in terms of the ICO.

    When I said that this was a "potential minefield" I was joking. It's quite simple, really, but it needs a working knowledge of the Data Protection Act and all it's revisions to be totally clear on the matter. However, Gazza's ICO quote in the OP made it quite clear that the purposes for which we would collate personal data would mean we would be exempt from ICO registration, therefore, it doesn't affect us at all. People have a perception of what rights the DPA affords them but, in practice, this perception is often far from the truth. They hear the term "Data Protection" and just assume that all data held about them is automatically protected but this is simply not the case.
    Dazzy D
    Lightning Disco & Entertainment

    Born to make you party!

  6. #6
    marting's Avatar
    Join Date
    Jan 2011
    Location
    Bournemouth
    Age
    52
    Posts
    418

    Default

    This was mentioned to me when i opened a business account they were using it to try and justify trying to sell me 17 a months worth of software which amongst things would encrypt all my emails as well as backing them up it also backs up music (no Limit) and photographs im still deciding if im going to be using it.
    Bournemouth Disco's
    Making Your Night A Good Good Night
    http://www.bournemouthdisco.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •