Data dos and don’ts

Our SageCover members not only get award winning support for their Sage software, they receive information to help them run their business. Part of their membership includes Solutions magazine, packed with useful information like this….

Managing customer data can be a minefield. We look at the main areas affecting data that you should be paying attention to…

Data informationRules surrounding data privacy are continuously being strengthened, and it is vital that you keep on the right side of the law, or you could face a hefty fine.

But it can be quite tough to keep track of the changes, as entrepreneur James Layfield, founder of Central Working, admits.

“Ignorance isn’t an excuse, but when you’re running a business, you just don’t have time to constantly check what the latest data protection rules are.”

That’s where we can help you, with our guide to the latest data rules and regulations:

Storage and disposal

There is a misconception that, for legal purposes, businesses must keep all of their data. But this is not the case. In fact, you could find yourself in hot water by holding on to personal data for too long.

The Data Protection Act 1998 makes it very clear that businesses must not keep personal data for longer than is necessary. How long you retain personal data is likely to depend on what the information is used for and the surrounding circumstances – when the relationship with the customer has ended, legal and regulatory requirements, and agreed industry practice.

Your business should have a data retention policy to determine how long each type of data can be kept for, and to ensure that it is disposed of in a secure manner at the end of that period. “It is crucial to be able to justify why you are holding on to the information, as it is not acceptable to retain it ‘just in case’,” says Peter Harthan, a barrister at Riverview Chambers. “Only keep what has business value or where there is a legal requirement.”

Third-party rules

When you are sending mailings out to third parties, it is more complex. You are dependent on consumers opting in, for example through ticking a ‘third party’ box when signing up. Without this, you risk running foul of the Privacy and Electronic Communications Regulations 2003, which is an EC Directive. “You can only sign people up to a mailing list if they have bought something from you or if they’ve expressly given you prior permission,” explains Heather Townsend of The Excedia Group. “You must also give them the chance to opt out of every mailing, whether it’s through the post or online.”

Mobile communications

Before sending your customers a marketing mobile message, you need their consent.

Many organisations provide customers with a ‘fair collection’ notice, which lists what types of information the business will collect about them, why they need it and what they will do with it. This is the best way of fulfilling your legal obligations. The level of detail to be included will depend on what type of personal data your business handles and what you do with it. And again, you must give your customers the chance to opt out.


This is the biggest recent change. Since the EU’s e-Privacy Directive came into force in May, it has become obligatory for your site to obtain permission for using cookies.

If you haven’t yet taken steps to comply, you need to act now. Ask your IT expert or web agency for a full audit of the cookies that you are currently using, and update your privacy page to give your website users more information on what, why and how you are using cookies, as well as how users can opt out.

“A business may leave itself open to legal proceedings for failing to exercise sufficient care with data,” says Arun Chauhan, director of fraud and risk services at Cobbetts LLP. “Small businesses need to place greater priority on data, because if they fail, they may face not only financial damage, but also the loss of their reputation.”

Melissa Beckett, SageCover Team