Businesses must prepare for second period of DPA

With effect from 24th October 2001, the first transitional period of the Data Protection Act ends and the second period comes into force.

As of this date, businesses will have to comply with the Act in full. The changes include:

Firstly, it will not be permitted for personal data to be exported outside the EEA (European Economic Area), unless the transfer is to a country which provides similar protection to personal data as is provided in the EEA.

Secondly, where data processing is outsourced to third parties, a contract must be in place with the third party requiring them to act only upon the controllers instructions and a requirement that the third party will take appropriate technical and organisational measures to protect the personal data that they process.

Thirdly, businesses must recognise the consumers' right to prevent direct marketing being taken against them, and consumers will have the right to prevent a company from processing data that may cause damage or distress.

In general, automated personal data must be brought into compliance with all the provisions of the Act by 24 October 2001. By 24 October 2007 all personal data, (including manual records) however and whenever processed, must be brought into compliance with all the provisions of the Act.
This document is for general guidance and research purposes only, and does not purport to give professional advice. Please check the date at the top of the article; the Workplace Law Network retains historic articles for general research.