Almost one in five businesses has unwittingly breached the data protection act at least once, according to a study by BSI.
The survey questioned over 500 UK SMEs on how they managed personal information on staff and customers, including sensitive data such as racial or ethnic origin, trade union membership and criminal proceedings.
Nearly half admitted that there is no one in their business with specific responsibility for data protection, while 65% said they offered no data protection training for their staff.
Of those questioned, 15% said they were not confident that their data sharing practices conform to the data protection act and almost 5% of these frequently share data regardless. With many firms struggling under financial pressure, 18% said data protection was less of a priority in the current economic climate.
“The BSI survey backs up what we have known for some time – that many organisations find the legislation in this area complex. The standard can help organisations put in place the measures which will lead to compliance and demonstrate that they are handling personal information responsibly”, said Gordon Wanless, chairman of the Data Protection Forum.
BSI recently launched the new British Standard, BS10012, Data protection – Specification for a personal information management system, which was developed to establish best practice and aid compliance with data protection legislation. It is the first standard for the management of personal information.
Rather than prescribing exactly how operations should be run, BS 10012 provides a framework to enable effective management of personal information. It can be used by organisations of any size and sector to create a tailored management system which includes procedures in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties.