Are you registered as a data controller? You could risk prosecution if you are not.
The Information Commissioner's Office successfully prosecuted 10 organisations last year for failing to register as data controllers with the ICO. It costs only £35 a year to do so, but fines can amount to between £700 and £1,000.
Under the Data Protection Act, organisations that hold personal data are required to notify the ICO. 'Data' includes any details held on paper or electronically of people's names, addresses, emails or phone numbers.
There are some exemptions, including one for small not-for-profits. But you must still be able to prove that you are following the ICO's eight principles of good practice, and there is an option to register voluntarily. It might not seem worth the hassle, but consider the implications of failing to follow the principles if something goes wrong and the bad PR that could arise from not being registered.
If you do want to register, you must nominate a data controller, adhere to the eight principles of good practice and renew your registration every year.
If you use any outside agencies to manage or process your data, you are legally responsible for what they do with it - so you should be aware of their status and processes and be sure they have registered as well.
If you hold sensitive data, which includes information such as religion, ethnic origin and so on, there are more stringent rules on who can see and use the data and how it is protected. Again, you need to check with the ICO whether you have this sort of data and how to manage it.
If you're not sure whether this applies to you, contact the ICO Notification Helpline on 01625 545 740 or go to the ICO website at www.ico.gov.uk.