Data Protection Act will catch out SMEs and dot-coms

Time is running out for businesses to comply with the new data protection legislation, due to come into force on Wednesday.

Speaking to Silicon.com, ecommerce lawyer Robert Bond, of UK firm Hobson Audley, warned UK businesses that SMEs and Internet companies might be particularly ill-prepared for the new legislation. The act, prompted by an EC directive, includes a law limiting the transport of personal data outside of the EU.

Bond said: "I think for SMEs and a lot of the dot-coms this is going to come as quite a surprise to them... suddenly you've got Europe saying 'hold fire - you can't do this unless you play by our rules' - it's a bit like fortress Europe again."

While many larger companies and multi-nationals have been preparing for the new legislation for some time, smaller companies may be unaware of their obligations under the new law.

The 1998 Data Protection Act, which comes into force on 1 March, updates the previous Data Protection Act by recognising the distinction between various types of data. For data considered "sensitive" - such as ethnic origin or political opinions - the explicit consent of the subject is required to process it.

Bond said: "It will certainly mean companies will have to jump through more hoops than they used to have to - the key issue is if the data they are mining is in any way sensitive, they'll have to look at how their security is enabled." It may force companies to institute Public Key Infrastructure (PKI) or encryption, he said.

The call for action from UK businesses comes on the heels of a report by the National Computing Centre showing that over half of all businesses have no information security policy, leaving them open to censure under the act.

The Data Protection Registrar, Elizabeth France, refuted suggestions the legislation would be too onerous for business, but warned: "If you've been doing nothing to look after business data so far, then it will be onerous - but I would suggest that that is bad business practice." She said the Data Protection Registrar had set up a virtual registration form on its Web site allowing businesses to find out if they are affected by the law.