The ICO exists to empower you through information.

This blog has been written with the needs of small businesses in mind.

Whether you’re just starting out or you’ve been in business for a while, here are 15 things all small businesses need to know about data protection.

1. Your customers care what happens to their data

They want to know what you plan to do with their personal data. They also want a say in what happens to it.

Be proactive and tell your customers what you’re doing with their data and why. We’ve made it easy for you to create your own privacy notice.

2. Data is the lifeblood of any modern business

Without data, you’d probably struggle to fulfil a contract or complete an order, so it makes sense to put security measures in place to protect it.

3. The world moves fast – and it’s important to keep up

Most businesses now rely on computers and remote working. Trying to do things more or less the same way you’ve always done them probably isn’t what’s best for your data, your customers or your profits.

Make it a habit to check how you’re doing with your data protection compliance on a regular basis. We want to help you comply.

4. Secure, organised data could win you the contract

If you’re supplying goods or services to larger organisations, procurement contracts can insist on suppliers having data protection policies in place, which could give you a competitive edge. Similarly, organisations with ethics and corporate social responsibility policies look for suppliers who meet these standards.

Having your data in order also reduces the risk of personal information getting lost, stolen or used in ways your customers wouldn’t expect.

5. Get it right and you’ll save time and money

Data protection compliance is an investment, one which helps you to avoid the cost and time of dealing with issues, such as formal complaints and breaches of personal data, that can come up when a business doesn’t take effective steps to comply.

Good data protection practices could also lead to bonus efficiencies for your business. For example, the law calls for ‘storage limitation’, which means not keeping data for longer than you need it. When you do it right, you’ll have less data to go through, making it quicker and easier for you to find what you need and cheaper to protect what’s really important.

6. You should be proactive when it comes to IT security

The security of your computers and other IT systems is something every small business needs to get sorted – and you should test it regularly.

The law says you should keep personal data safe, using measures you think are appropriate. The risks you face will be unique to your business and how you run it, but keeping data safe often includes making sure you’ve got up-to-date anti-virus software, being careful not to leave your laptop unattended, using strong passwords and training your staff so that your security links are strong all along the chain.

The ICO works with the National Cyber Security Centre (NCSC) to help organisations protect personal data against cyber threats. Read their guide on actions to take when the cyber threat is heightened.

7. Modern regulation uses a wide range of tools

Our fines and penalties may grab the headlines, but we know that helping you to comply is the most effective way of reducing mistakes and misuse of people’s data.

There’s no big secret to not getting fined. The basics of data protection law are largely common sense. For example, everything you do with someone’s data must be legal, fair and clear to them. If something doesn’t feel right, then it’s worth double-checking it. Our tools and checklists can help. 

8. Responsible sharing of personal data keeps us working

Almost every interaction you have with your customers involves them giving you their personal data, such as their names and addresses. Sharing data you hold in the right way and for the right reasons can help keep your business running, improve the services you offer and save you time.

9. Know about people’s rights

There’s more to data protection than storing and handling it in a safe way. People also have rights over their data.

For example, the right of access is where someone can ask you for a copy of their data through a subject access request (SAR). It’s a good idea to have a plan for how to deal with a request for information because this is quite common.

There are also situations where people can object to your use of their personal data, especially if you’re using it for marketing. People also have the right to challenge the accuracy of information you hold about them and can ask you to delete it. These rights don’t always apply, but you still need to take requests seriously and respond within a month.

10. What to do when something goes wrong

Some personal data breaches – usually the more serious ones – need to be reported to us within 72 hours of you becoming aware of them. So you’ll need to act fast if this happens. You could save yourself a lot of stress by familiarising yourself with our simple guide on how to respond to a personal data breach. We hope you won’t need it, but it’s better to be prepared.

If you find out that personal data has been accidentally or deliberately lost, destroyed, changed or seen by someone who wasn’t supposed to have access to it, but you don’t think anyone will be adversely affected, it’s unlikely you’ll need to report it to us. Our simple guide on understanding risk in personal data breaches helps you to know the difference.

11. Figure out your lawful basis for processing – it’s a must

There are limits on what you can do with people’s personal data. You need a ‘lawful basis’, chosen from a list, which reflects the reasons you think it’s within the law for you to be doing what you’re doing.

There’s no lawful basis that’s better or more lawful than the others. You have to choose which is most appropriate for what you’re doing and stick to it. It’s your call to make but our interactive tool may help you decide.

12. Data – it’s not always personal

Some types of data are exempt from data protection laws. For example, data protection doesn’t apply to information relating to people who have died.

Nor does it apply to data that isn’t personal, such as information about limited companies. It’s unlikely that bank account statements and invoices about a limited company include any personal data. Even if they mention directors or employees, the information in these documents is about the company, not about those individuals.

13. Don’t forget about your staff

Your staff need to understand their role in making sure your business complies with data protection laws. To do this, you’ll need to train them regularly and make sure this training is relevant for their role.

Remember that you hold data on your staff too. Staff have the same information rights as customers. Make sure they can access your privacy notice from the first time you collect their details – this is usually during your recruitment process. And you need to know how to deal with a request for information in case a staff member asks for a copy of their information.

14. Your data protection fee funds the ICO’s work

It’s part of UK law for companies – including small businesses – to pay a data protection fee to the ICO. This funds our work.

Check if you need to pay the data protection fee. There’s a fine to pay if you don’t pay when you should.

You could be exempt if you’re only processing personal data for your core business purposes, but you should check this. This exemption covers things like staff administration, accounts and advertising your own business. But if your small business uses CCTV for crime prevention purposes, chances are you’ll need to register with the ICO and pay the data protection fee.

If you’re not exempt, the annual fee starts at £40 for those with up to 10 staff and a turnover of less than £632k.

15. Data protection is a journey

Data protection isn’t something that can be done overnight. It’s an ongoing journey.

If you put in the time, it’s possible for every small business to have great practices in place. If you get stuck, we’re here to help