Review what data you collect, and why you need it.
Ensure that you do not collect any unnecessary personal data; delete any unnecessary information from your records.
Check whether you need to notify the Information Commissioner about your use of personal data, and if necessary do so.
Train employees on how data protection principles apply to their work.
Make breaches of data security policies and misuse of data disciplinaryoffences.
Collect information fairly; if in doubt, ask contacts to opt in before adding them to your database.
Include a statement of your privacy policy on your website.
Maintain a ‘do not contact’ list of individuals and companies who have opted out; check against this list before adding new contacts to your database.
Take steps to ensure that you input data accurately.
If you buy in mailing (or other) lists, ensure that they have been properly screened: for example, checked against the Mailing Preference Service, and that the list broker has obtained the proper opt ins if you want to market to the list electronically.
Give contacts the right to opt out from further communications whenever you send them mail or electronic communications.
Protect access to systems and data: for example, through appropriate building security and computer passwords.
Install appropriate electronic security: for example, a firewall and anti-virus software.
Restrict access to sensitive information to employees who need it.
Set up a system for updating your database, including removing information that is no longer needed.
Dispose of old records (on paper or electronic storage) securely.
Ensure that you back up your database, and that backup copies are kept secure.
Set up a procedure for responding to subject access requests from individuals who ask to see what information you hold on them.
Check the legal position before you transfer or sell your database (for example, selling to a third party or transferring to an overseas office).
