0800 0685 362
0117 923 8445
0117 973 6806

Hanover Company Services, Ground Floor, One George Yard, London, EC3V 9DF, UK

Company Formation Specialists

Back to FAQCompliance and Procedure

What is Data Protection?


All companies must comply with the Data Protection Act 1998. The Data Protection Act governs the processing of personal information held on living, identifiable individuals and requires that companies are open about their use of information and process this information correctly. The Data Protection Act also gives individuals the right to access information companies are holding about them.

Personal information is deemed to be information pertaining to living people who can be identified by that information, e.g. staff records or customer databases. The Data Protection Act applies to information held on your computer, some paper-based records and some CCTV systems.

According to the Data Protection Act, a data controller is a person who determines the purposes for which the manner in which personal information is to be processed. If your company is a Limited company, the data controller is the company itself. A data processor, (e.g. member of staff who enters customer details onto your database) acts on behalf of the data controller.

All companies that intend to process any personal information must determine how the Data Protection Act applies to them - it is essential that you meet a condition from Schedule 2 of the Act in order to process personal information and you must ensure that the processing of that information is in compliance with the 8 data protection principles:

The 8 data protection principles

The 8 principles are set out in the Data Protection Act. These are a set of rules that data controllers must follow for protecting personal information. Personal data must be:

  • Processed fairly and lawfully
  • Processed only for one or more specified and lawful purpose
  • Adequate, relevant and not excessive for those purposes
  • Accurate and kept well up to date - data subjects have the right to have inaccurate data corrected or destroyed if the personal information is inaccurate to any matter of fact
  • Kept no longer than is necessary for the purposes it is being processed
  • Processed in line with the rights of the individuals - this includes the right to be informed of all the information for marketing purposes, and to compensation if they can prove they have been damaged by a data controller's non-compliance with the Data Protection Act
  • Secured against accidental loss, destruction or damage and against unauthorised processing - this applies to you even if your business uses a third party to process personal information on your behalf
  • Not transferred to countries outside the European Economic Area - the EU plus Norway, Iceland and Liechtenstein - that do not have adequate protection for individual's personal information, unless a condition from Schedule four of he Act can be met (further information may be obtained from


Top Of Page