Data protection in your business
You must comply with data protection law whenever your business handles personal data – whether that’s data about customers, business contacts or staff.
Comply with UK data protection law
UK data protection law is made up of:
- UK General Data Protection Regulation (GDPR) - the broad principles and responsibilities for handling personal data
- The Data Protection Act 2018, which provides detailed rules for handling personal data, explains who enforces these rules and what will happen if you do not follow them
The Information Commissioner's Office (ICO) is the body responsible for enforcing data protection laws. To comply with the law, your business must:
- know what personal data you hold and what you do with it
- limit what data you collect to what is necessary and relevant
- only use the data you collect for specified, explicit purposes
- only keep data for as long as it is necessary to do so
- tell people how you use their data and what their personal data rights are
- allow people to access, correct or delete their data
- store personal data securely and protect it against loss, theft or misuse
- keep records of all data processing activities and policies
- notify the ICO of relevant data breaches
Best practice for data protection
- Store hard copies and electronic data securely.
- Delete or destroy personal data when it’s no longer needed or no longer reasonable to keep it.
- Provide data protection training to everyone in the business.
- Store hard copies and electronic data securely.
- Delete or destroy personal data when it’s no longer needed or no longer reasonable to keep it.
- Provide data protection training to everyone in the business.
Things to avoid
- Sending marketing messages to people if they have not agreed to receive these.
- Sharing personal data with people outside your business.
- Collecting personal information that is not required for you to provide your services or meet your legal obligations.
- Sending marketing messages to people if they have not agreed to receive these.
- Sharing personal data with people outside your business.
- Collecting personal information that is not required for you to provide your services or meet your legal obligations.
Understand what personal data you hold
Identify all the personal data you hold about customers, leads, people who work for you or suppliers.
Personal data is anything that could identify a living person. It includes:
- personal information, like names, addresses, dates of birth
- identifying numbers, like National Insurance number, employee ID, driving licence number
- financial information, like bank account number, credit card details
- health information, like allergies, medical history, vaccination records
- educational or work information, like CVs, references, certificates
- online identifiers, like IP addresses, account information, purchasing history, social media posts
- communication records, like emails, messages, voice mails
- audio visual records, like photographs and recordings
Audit your data collection practices
Make a list of all the types of personal information you hold, collect or plan to collect in your business.
For each type, consider how you are using the information:
- if you are not using it, you should not collect it
- If you are using it, check if you have a lawful basis to do so
Make sure any data you collect is stored securely.
Evaluate why, and for how long you store data. You can only store data for as long as you actually need it.
Create a privacy notice for your business
You need a privacy notice for your business. This must include certain information, including:
- who you are and how to contact you
- what personal data you collect and how you collect it
- why you have this data, how you use it and your lawful basis for using this data
- how long you store this data for before you dispose of it securely
- who you share this data with
- what their rights are to access or amend this data and how to exercise those rights
This privacy notice should be freely available to anyone whose personal data you collect. Include links to it on your website, in forms or wherever you might collect data from clients, customers, suppliers or any other person your business interacts with.
Respond to data protection requests
Anyone can ask if your business holds personal information about them. This is called a subject access request.
You must respond to subject access requests within one month. You cannot usually charge a fee to respond to a subject access request.
Check if you need to register with the ICO
Businesses must register with the ICO and pay an annual fee, unless they are exempt. The ICO's advice service can help you work out if you are exempt.
You are probably exempt if:
- You only use personal data for core business purposes, like business and staff administration.
- You only use personal data to promote and market your business.
- You only use personal data for core business purposes, like business and staff administration.
- You only use personal data to promote and market your business.
You probably have to register if:
- You use CCTV as crime prevention in your business.
- You use personal data in a health or childcare setting.
- You use personal data to provide legal or financial services.
- You use CCTV as crime prevention in your business.
- You use personal data in a health or childcare setting.
- You use personal data to provide legal or financial services.