The ICO exists to empower you through information.

This checklist is to help sole traders, and other small organisations in the UK. Use it to help you and your business understand what you need to do to be open and transparent with people when you process their personal data. 

Once you complete the checklist, you get a short report with practical actions you can take and additional guidance  to improve how you deal with data protection in your business. 

If you’re unsure if you need to comply with data protection law, you should take this short quiz first.

1. Is someone in your business responsible for creating the privacy information for your activities and keeping it up to date?
More information

People have a right to know why you need their data, what you are going to do with it and who you’re sharing it with. This is also known as privacy information.

If your business processes personal data, you usually need to provide privacy information to the people whose data you’re holding and using.

You should write this information down in a document called a privacy notice.

You need to review and, where necessary, update this information regularly. Also, you need to think about how you’re providing it to people.

You should also update your privacy information before starting any new processing.

2. Does the responsible person know what your privacy information needs to include?
More information

Your privacy information doesn’t need to be complicated. In fact, a shorter privacy notice may be more effective. But it must always include:

  • name and contact details for your business;
  • the types of personal data you process, for example names and addresses, health data, personal data in official documents such as a copy of a birth certificate;
  • why you’re processing the data;
  • your lawful basis for processing it;
  • where you got people’s personal data from, if it wasn’t directly from them (including if it was from a public source);
  • who you are sharing it with;
  • how long you are keeping it or how you decide this;
  • that people have data protection rights;
  • how people can exercise those rights, for example they can ask for a copy of their personal data; and
  • that people can complain to the ICO.

There is more information on what your privacy notice must include in our right to be informed guidance.

3. Does your responsible person know how to provide privacy information?
More information

Privacy notices often give privacy information.

You can give the privacy information in a variety of ways, such as:

  • in writing – eg on financial applications or job application forms;
  • on signage – eg a poster in a public area or a sign advising of CCTV in operation;
  • electronically – in emails or on your website; or
  • verbally – although it’s best to make a note if you provide information verbally so you have a record that you’ve done it.

However, it’s best to use the same method you use to collect people’s data to give them the privacy information, as it’s likely to be their preferred way to connect with you. You can add more information on your website, if you have one.

However you decide to provide the information, people must be able to find and understand it easily.

4. Is your business’ privacy information easy to understand?
More information

When writing your privacy information, keep it simple.

Be clear, concise and use plain language. Don’t include unnecessary information and avoid using technical jargon.

Although any member of the public should be able to understand your privacy information, it’s important to write it with your target audience in mind. For instance, if you process children's personal data regularly, you must write your privacy information so a child can understand it.

5. Does the responsible person know when to give privacy information?
More information

If you get personal data directly from the people themselves, you should give them your privacy information at the same time. However, you don’t need to provide them with any information they already have.

If you don’t get the personal data from the people themselves, you need to give them your privacy information:

  • the first time you communicate with them;
  • within a reasonable time after obtaining the personal data and no more than one month later; or
  • before or when you disclose the data to someone else.

There are some limited exceptions when you don’t need to provide privacy information.

6. Are all people in your business aware of your privacy information and where to find it?
More information

Everyone in your business should be aware of your privacy information, where to find it and the various ways you provide it.

It’s likely you process their personal data as well as that of customers or business partners, so they’re entitled to receive privacy information.

Public-facing staff may face more detailed questions about the nature of your processing; therefore, they need more in-depth training. The training should help them spot any gaps or inaccuracies in your privacy information and make clear that they should raise these with your lead person.