The ICO exists to empower you through information.

Does data protection law apply to my small business?

Small organisations and small business owners who consider their operation to be small and low-risk sometimes aren’t sure if data protection applies to them.

If this sounds like you then the answer is: yes. Data protection laws probably apply, because it’s likely you’re holding and using people’s personal information as part of your usual course of business. This is known as ‘processing’ their personal data. Personal data is information that relates to or identifies an individual. Examples of personal data that you may hold are names and contact details such as email or postal addresses, phone numbers and payment information.

Most small organisations will be processing personal data of some description. For example, the details of your customers and staff will be covered by the rules. The law applies from when personal data is collected, and covers companies of all sizes from sole traders and people who work for themselves through to large global corporations.

Take our short quiz to help you decide if data protection law applies to you.

How do I comply?

Data protection compliance is a journey, not a destination. Most of it is common sense. If you’ve been in business for a while, you’ll already have processes and measures in place that comply with data protection, because they’re helpful to your business. Other parts of the law might take a bit more planning – we can help.

Knowing what personal data you have is a good place to start because this will help make sure you only collect and hold what you need. Personal data means information about people, such as names and addresses. You have to make sure you know – and explain to others – why you have this information. You have to keep it safe, and destroy it securely when it’s no longer needed. If you’ve got sensitive personal information, such as information about someone’s religious beliefs, trade union membership, or health, you must handle this particularly carefully and take extra steps to protect it from getting lost, damaged or stolen. And people have rights when it comes to their personal data, so you need to know what these are because you’ll come across them sooner or later.

If you’re new to data protection or don’t have a big team to help you, we’re here to help. You can always contact us for more assistance if you need it.

What are the benefits of complying with data protection?

Good information handling makes good business sense. Being able to find the right information when you need it and keeping it accurate and safe will help people feel confident in the way you handle their information. It shows that you run a tight ship, and that you can be trusted.

Good information handling also saves you time. For example, if you avoid hoarding data you don’t need, you’ll have significantly fewer files to search through when you’re looking for information you actually need to run your operations efficiently.

When data protection goes wrong, it can also be costly. For example, losing your customer database could mean you’re unable to fulfil any orders. It’s a much better idea to be proactive and take steps to help stop people’s data from getting lost, damaged or stolen in the first place.

Paying your data protection fee on time and being listed on the ICO’s register of fee payers shows that your company takes data protection seriously. It’s the law to pay the fee, which funds the ICO’s work, but it also could positively impact your reputation. It sends a strong message to your customers that you value and care about their information. It can also give other organisations confidence that you know what you’re doing and are worth doing business with.

What will happen if I don’t comply?

You can’t misuse people’s personal data, or leave it vulnerable to getting lost, damaged or stolen. This is because if personal data falls into the wrong hands, people could be harmed. Depending on the situation, they could become victims of identify theft, discrimination, or even physical harm.                                 

Data protection is the law, so it's important that you take steps to comply. If you don’t, you could get a complaint and the ICO may need to take action against your company.

You could also be fined if you don’t pay the data protection fee when you need to.

But even though the ICO has the power to take action, most of our work with small organisations is focussed on helping them get data protection right. Most of the UK’s SMEs are working hard to comply, despite limited resources, and we’re here to help. We have a dedicated advice line for small organisations in addition to the suite of toolkits, bite-sized guides and other tailored resources available on our data protection hub for small organisations.

What data is exempt from data protection law?

Some types of data are exempt from data protection law, such as:      

  • Business data such as your work email address (as long as it doesn’t contain someone’s name) or your company’s financial statements;
  • information about deceased people (because data protection law only applies to information about the living);
  • paper records that aren’t intended to be kept as part of a filing system; and
  • information that you use for purely personal, family or household purposes, rather than for your business or services.

On the other hand, a person’s CV will clearly identify them as a person, their contact details, their past employment history, and personal interests. Internal payroll records will link a named employee to their National Insurance number, bank account details and earnings. Customer contact details will tell you who someone is and – most probably – where they live, their email address, telephone number and what product or service they bought from you. All of these records reveal the identity of a person and additional information connected to them. It’s personal data that needs to be handled in accordance with data protection laws.

Top tip: It’s a good idea to keep any information that is to do with your business separate from personal files such as birthday reminders, family celebrations and personal finances. This will help you more easily draw a line between the data that is subject to data protection obligations, and the data which is exempt.


Do we need to pay a fee to the ICO?

If you’re providing products or services of any type, it’s likely you’ll have and use information about people – known as personal data. This will be the case for sole traders and people who work for themselves as much as for charities, clubs, membership groups, and large organisations.              

If you use personal data for work, for example if you’re using CCTV to protect your premises, then yes – you’ll need to pay a fee to the ICO. Although there are some exemptions.

If you need to pay, and don’t pay, you could be fined.

Most companies will only need to pay £40 or £60 a year. For large organisations – those with more than 250 staff or an annual turnover exceeding £36 million – the fee is £2,900.

If you haven’t registered before, please visit our fees page and click ‘first time payment’. You must complete the online application, which takes about 15 minutes, before sending your payment.

To find out if you need to pay, you can take an online self-assessment.

Top tip: You can save time, hassle and money each year by setting up a Direct Debit, which deducts £5 from your fee.


Is there a register of controllers?

Yes. The ICO keeps a public record of registered controllers. The register includes some basic information about the organisation, including trading names and registered address. It also contains information about which tier of the data protection fee the business falls into, and contact details of their data protection officer, if they have one.


What data protection training should I give to my staff, and how often?

The law doesn’t say what staff data protection training should include or how often it should be provided – this will depend on what is right for your situation. But like any other mandatory training, it should be relevant to people’s role and refreshed regularly.

For example, if you employ someone to print and post out letters to people, you should make sure they know how important it is to keep people’s personal information safe and secure, such as by not leaving paperwork unattended at the printer. You could also train workers who deal with post to make sure they double-check letters before sending them, to check the postal address is correct and you’re sending the right letter to the right person. You might choose to repeat this training formally each year, on top of reminders throughout the year.

Generally speaking, the training you provide should cover at least the data protection basics, what to do if something goes wrong, and what privacy information you give out to customers, clients or members.   

Data protection is everyone’s responsibility, so you’ll need to provide training to everyone who works for you, including temporary staff and volunteers.

How much does data protection compliance cost?

If you use personal data for work, for example if you’re using CCTV to protect your premises, then you’ll need to pay a data protection fee to the ICO – although there are exemptions. Most companies will only need to pay £40 or £60 a year. For large organisations (those with more than 250 staff or an annual turnover exceeding £36 million) the fee is £2,900.

Aside from the data protection fee, there aren’t any other set costs for compliance. Much of the law is common sense, and it’s likely you’re already complying in important areas, such as by using strong passwords and shredding sensitive documents when you no longer need them. If that’s you, then you’re already protecting data within the resources you have already.

Other parts of the law might take a bit more planning. We’re here to help. Our data protection hub for small organisations offers a suite of tailored toolkits, templates and guides to help you understand data protection and make it your business. All of our guidance is free, and your time here is time well-spent because data protection compliance will save you time and money in the long-run.

What are some of the most common data protection complaints the ICO receives about small businesses?

We often receive complaints from people who have concerns that:

  • you haven’t given them all their information in response to their subject access request (SAR);
  • you haven’t kept their personal data secure;
  • some of the personal information you hold about them is inaccurate;
  • you’ve given their personal information to someone else;
  • you’ve used unlawful marketing tactics to promote your business;
  • you’ve kept their personal data for longer than necessary; or
  • you’re using their personal information for something other than what you said you would.

They may send similar complaints to you. And if they’re not happy with how you respond, they could complain to us.

It’s a good idea to regularly review feedback and complaints that customers send you. This will help you understand how to improve your services for the future and avoid repeating any mistakes.

Our focus is always to provide businesses with advice and support to help them get data protection right. Check out our SME web hub for help in handling people’s data.

What happens when the ICO receives a complaint about my small business?

People have the right to complain to us about the way your small business handles personal data. But we expect them to have raised their concerns with you first and given you a reasonable opportunity to respond and resolve the issue. 

When we receive a complaint, we check it’s something we can help with. We then allocate a case officer to look into the complaint.

The case officer will:

  • weigh up the facts of what’s happened, fairly and impartially;
  • tell you if there’s further work for you to do;
  • ask you for further information if they think it’s needed; and
  • let you know the outcome of our considerations.

If you’ve provided a clear and detailed response to the complaint, setting out why you believe you’ve acted lawfully, it may not be necessary for us to contact you further. If we have enough information that demonstrates you’ve complied with data protection law, we’ll let the person who made the complaint know.

If we think there’s been an infringement, we’ll usually provide advice so you can put things right and improve your practices. Our focus is always to provide businesses with advice and support to help them get data protection right. We deal with most complaints in this way. We only take enforcement action – such as issuing a monetary penalty – where necessary and appropriate.

We’re here to help. Check out our SME web hub for help in handling people’s data. Getting it right now means you’re less likely to receive complaints in the future. If you get stuck, you can always get help and support from us.

Do I need a DPO?

A small organisation is unlikely to need a data protection officer (DPO).

Data protection law says you must appoint a DPO if:

  • you’re a public authority or body (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

If you don’t meet these categories, you’re not required to have a DPO.

But you may still feel it could be useful to have someone who takes responsibility for data protection and you could appoint a DPO voluntarily. For example, this person could look after your privacy notice and keep your customer and staff records up-to-date. They could also deal with any data protection requests. Your DPO can be an existing employee as long as there isn’t a conflict of interest with their current role.

Also see:

Does it matter whether I comply or not?

Any successful enterprise knows that relationships are key. Your customers, clients, members and donors care about their personal data, so you have to look after it if you want to build trust. If you get a reputation for being reckless with people’s personal data, you’ll have a mountain to climb to get them to trust you with it again. Simply put, good data protection is good for your brand.                                       

When personal information is accurate, relevant and safe it can save you time and money which will impact your bottom line. It’s also the law, and you could be fined if you don’t comply.

Why can’t the ICO tell me exactly what to do?

Data protection law uses a set of key principles for how personal data should be used and protected rather than a list of what can and can’t be done. This makes sense, as it would be impossible to define all the different ways businesses should be handling data.

If you think about health and safety law, your responsibility is to make sure people are safe and protected from possible dangers to their health. It’s not the case that if all employees wear safety glasses and gloves, the business is following health and safety regulations. What if there’s a wet floor, or a sharp object?

Similarly, in data protection law, your responsibility is to make sure personal data is safe, and respect people’s information rights. It’s not the case that if all employees change their passwords every 12 weeks, the business is fully following data protection regulations. What if there’s a fire that destroys their data, or a customer’s file is accidentally sent to the wrong person? What measures are in place to mitigate against those risks and to recover the position should the worst occur?

At its core, data protection law encourages those responsible to assess and respond to the risks as they see them. Every organisation is different, so there’s no one-size-fits-all answer that the ICO can give. Even two sole traders in the same industry will run their businesses in different ways. If both of them contact the ICO with the same question, our advice will depend on the context surrounding each case, or any other information they give us about their processes or the types of data they collect.

It’s a good thing to have flexibility in the law, because it means there aren’t any barriers to being innovative, as long as you’re responsible and accountable for how you’re using personal data. You know your business best, so it’s up to you to decide what you need to do. But you can always contact us if you need our advice.

Is the platform/programme we’re using compliant with data protection law?

We can’t tell you if a particular platform or programme is compliant because we can’t check every IT product and service that enters the market. You have to assess and respond to the risks as you see them and decide for yourself whether a product or service is appropriate for how you plan to use it.                   

But when making your decision, it’s a good idea to think about whether you can make sure the data is kept secure. For example, if you’re considering video conferencing software, look at its privacy settings and features.

You also need to be sure that any platform or programme allows you to comply with data protection law when it comes to people’s information rights. For example, if someone asks you for a copy of their personal data, you need to be able to find their data easily.

What should I look for in a data protection or GDPR consultant?

Not all companies will need a data protection consultant. We’ve got lots of tools and resources on our website including checklists, toolkits and simple guides that have been tailored to the needs of SMEs, small organisations, small businesses, and sole traders. You can also get in touch with us if you need advice.

If you’ve decided that you need a data protection consultant, they should have good experience and knowledge of data protection law. They don’t need to have specific qualifications, but it would be an advantage for them to have good knowledge of your industry or sector.

As a small organisation, do I need to do a DPIA?

A DPIA (a Data Protection Impact Assessment) is a process designed to help you identify and minimise the data protection risks of a project or plan. You need to do a DPIA if what you’re planning to do is likely to result in a high risk to people. For example, if you’re planning to process sensitive data such as medical data or information about children or vulnerable adults, it’s likely you’ll need to do a DPIA first.

You can choose to do a DPIA if you think it would help you decide whether the processing you’re planning is appropriate and proportionate. And it’s a good idea to do a DPIA if you’re planning a large project where lots of personal data will be processed, such as a customer survey.


How do we do a DPIA?

The steps you’ll need to take to complete a DPIA (a Data Protection Impact Assessment) as a small organisation are similar to how you’d approach many other workplace decisions – you look at the situation you’re in and the options available to you, weigh up the risks and opportunities, and describe your way forward. You can use our handy DPIA template.

For your DPIA, you’ll describe what you plan to do including whose data will be used and why you need to do it that way. You’ll then assess whether the processing is necessary and proportionate – in other words, a plan that’s balanced and makes sense – before setting out what measures you’ll put in place to ensure your plan complies with data protection laws.

If you think there are any risks to people, you need to make a record of this along with any mitigations or solutions you’ve found. If you think your plans are high risk but you haven’t found any mitigations or solutions, you must consult us before you put your plans in action.

For more detailed steps, please read our DPIA guide.


What does ‘data protection by design and default’ mean?

If you’re a controller you must consider data protection and privacy issues in everything that you do. It pays to think about it at the very beginning.

Data protection by design means thinking about privacy and data protection from start to end. If your business is setting up a system, product, service or process you need to include data protection in its design. You need to think about any risks to the people whose data you’re processing  and take steps to reduce these risks. You also need to ensure you tell people what you’re doing with their personal data in plain language.

Data protection by default means limiting the amount of personal data you collect to only what you need. For example, if you only need a name and address to arrange a delivery, this is all you should collect. You should decide what personal data you need to start with and make sure you inform people how you will use it. In most cases, you should only use the personal data for the reasons you collected it.

There is no ‘one size fits all’ approach as it depends on your individual circumstances. You need to think about data protection by design and default whenever you implement something new using personal data.

For example, Dave is a builder. He wants to put a new contact form on his website for business enquiries. Before he starts using the form, he should make sure it collects only the information he needs to deal with the initial enquiry, so the customer’s name, contact details and the details of the enquiry. He also needs to make sure the website is secure to protect the personal data  and keep it private. By taking these steps, he’s trying to reduce any potential harm to his customers. He should update his privacy notice  and make it clearly accessible when customers use the form. When he starts using the form, he should continue thinking about these data protection considerations.