Data Protection Act a mystery to UK businesses

The UK's stringent data protection laws go into force today - but less than one-quarter of UK companies have even heard of them.

A survey by security companies Content Technologies and CenturyCom found that on the eve of enforcement, only eight per cent of UK blue-chip firms had made the necessary preparations.

From today, under the terms of the 1998 Data Protection Act, it is an offence for companies to distribute personal details of their employees or staff outside the EU, without explicit written consent. The laws are intended to protect personal data against sale to third parties, but they pose problems for companies with a multi-national payroll.

Chris Heslop, marketing director at Content Technologies, said: "There's very little awareness of how electronic information is moved around in an organisation, particularly email which is both spontaneous and permanent."

Heslop said infringements of the new laws would often be accidental. "Companies need to establish content policies that can be enforced, to monitor the flow of information in and out of a company," he told Silicon.com.

The laws bring UK companies into line with an EU data protection directive. They particularly affect European companies trading with the US, where infringement of personal data is not a criminal offence.

Adrian Friend is the European director of TrustE, which monitors the self-regulation of data protection in the US. He told Silicon.com in a recent interview that large businesses were "a little behind in terms of applying all those rules".

He added: "I think the small businesses are somewhat unaware of the implications of the Data Protection Act and the EU directive."

The UK Data Protection Registrar will only enforce the new laws following specific consumer complaints, so laggard businesses still have time to set up an all-encompassing content policy.