The ICO exists to empower you through information.

The videos on this page uses YouTube and Vimeo's privacy-enhanced modes and may set a cookie on your device. See our cookies page for more information.

An introduction to data protection for small businesses and sole traders

This webinar covers personal information, lawful bases, retention periods, subject access requests, personal data breaches and individual rights.

Script for this video

Hi we're from the Information Commissioner's Office or ICO, the UK's independent regulator for data protection law.
Our role is to help businesses get data protection.
Right advise government about data privacy issues and take action against those who don't comply with the law.

A fundamental aspect of our work is helping small businesses get their data protection right by providing practical advice.
And you can find lots of this on our SME web hub.
The web hub has top tips, guides, and simple tools designed to help small and medium sized businesses get to grips with data protection.
It has everything you need to get started,
check how you're doing and improve your compliance.

We also link to the registration page where you can check if you need to pay the fee,
change your details or set up your direct debit.
Many organisations are legally required to register and pay the data protection fee. For small and medium sized businesses this is £40 or £60.00 per year with a £5 reduction when paid by direct debit.
We have a self assessment tool so you can check if you need to register with us.
We also have friendly and knowledgeable staff on our helpline and live chat who can guide you if you get stuck.

So, this video will help you understand how to make data protection work for your small business.
It looks at the key issues.
you need to know, focusing on: what is personal information, how to identify the appropriate lawful basis for your business, how to set appropriate retention periods, privacy notices and the right to be informed, security and personal data breaches,
And finally, individual rights and what to do if you receive a subject access request.

So what is personal information?
Data protection law is all about personal information.
This is any and all information that identifies and relates to a living person.
It could be about who some one is, where they live or what they do.
It's information that tells you something about them. As part of running your business, you're likely to handle people's personal information every day.
An example might be the information you record as part of employing staff, such as their bank and wage details, their HR records, and any sickness information.
It's your responsibility to keep all that personal information safe, so it's important you know what you have, why you have it and where it is.
You need to consider how you store it, how you use it, and when you should dispose of it.
You must also understand the rights people have over their information and how to uphold them.
Getting these things right will give confidence and reassurance to your staff, suppliers and customers.
They'll trust you to comply with the law and look after their information properly.

Now before you collect and use someone's personal information, you need to identify your lawful basis.
This is basically your reason for having the data, and there are six options, consent, legal obligation, contract, vital interests, public task and legitimate interests.
We'll briefly go through each of these for you now.

So consent if you're relying on consent to use personal information, it has to be freely given.
It can't be coerced or a condition of service.
The person giving their consent can withdraw it at any time, and if they do so, you must stop processing their personal information.
Consent is the lawful basis most people think of, but it's not necessarily always the most appropriate.
For example, if you employ staff, you have to tell HMRC what they earn for tax purposes.
You couldn't rely on consent here because if they said I don't want you to give HMRC any information about me, you'd be a bit stuck. In this example,
legal obligation would be a more appropriate lawful basis.

So a little more on legal obligation then. This is where the specific legislation in place that directs you to process the personal information.
For example, as previously mentioned, you have a legal obligation to provide information about your employees to HMRC.
You may also have a legal obligation to share personal information with the Health and Safety Executive where there's been a death, injury or dangerous incident in your workplace.

Next contract you may need to process personal information to meet your contractual obligations or as part of a potential contract.
For example, if a prospective client asks for a quote for your services, you'll need to process a certain amount of their personal information in order to provide this.

Now you can rely on vital interests and a lawful basis if you need to process personal information to protect someone's life. For example, giving relevant information to the ambulance crew who've turned up to help someone who's unconscious.

Public task. This lawful basis is usually used by public authorities or organisations carrying out specific tasks in the public interest.
You may need to consider this if you work on behalf of a public authority such as your local Council.

And finally, legitimate interests.
This is where using personal information is in the legitimate interests of yourself or a third party, and this can include commercial interests.
But you do need to be able to justify your use of this lawful basis.
To do so, you must identify a legitimate interest.
Show that the way you're using personal information is necessary to achieve this interest and balance your interest against the person's own interests.
This lawful basis is most appropriate where you use personal information in ways that people would reasonably expect, and where the privacy impact is minimal.
For example, if you use contact information that somebody's made public to let them know about a job opportunity, they may be interested in. Whichever lawful basis you rely on,
the way you use personal information needs to be proportionate and necessary to achieve the specified purpose.
You must be able to justify what you're doing and why.

Next, think about the personal information you hold.
We've talked about the lawful basis for having it, but you must also ask yourself, do I still need it?
You must be able to justify how long you keep personal information for and set an appropriate retention period.
The UK GDPR doesn't set specific time limits for different types of data.
this will depend on your purpose for holding the information.
First, identify why you need the personal information.
It might be that you're required to comply with legislation relevant to your sector.
If so, then a specific retention period may already be set out, but if you're only retaining personal information for your own purposes, you'll need to set your own retention periods.
Think about the different types of personal information you hold and decide how long you need to keep each type for.

Now, once you've established your retention periods, you should document them.
Regularly review the information you hold in line with these.
Some automated systems can help you with this by flagging records for review or deleting information after a predetermined period.
You also need to consider how you dispose of the personal information you no longer need.
So make sure you shred any paper documents that include personal information and double check that electronic information isn't being stored in your backups or recycle bins if you no longer need it.

Next, we'll focus on the right to be informed.
People typically have a right to know what you're doing with their data.
You generally have to tell people what data you have, why you have it, what you're going to do with it, who you'll share it with, and how long you'll keep it for.
It's usually easiest to let them know this through a privacy notice.
You can either put this on your website, or you could have it as a document you provide, either as a paper or electronic copy.
This should be given to people before you start using their data, such as when they first contact you.
Think about how your audience interacts with you and make your privacy information available to them in a way that will be easy for them to access.
Proactively telling people what you do with personal information, including who you share it with and how long you keep it in an easy to understand and transparent way, will increase people's confidence in your collection and use of their information.

Now when you run a business, people trust you with their data and you do have a duty to keep it safe.
So we recommend that if you store information electronically, as most of us do, to set user accounts with strong passwords and make all of your devices lock when left for a certain period. Avoid using the same password for multiple accounts or using personal passwords for work accounts.

Consider using multifactor authentication similar to that used when you log into your bank account.
For example, a password and a validation code sent by text.
This will help to reduce the risk of any unauthorised access to your accounts.

Be extra vigilant about opening web links and attachments and emails or other messages.
If you're unsure, contact the source of the email first to make sure that they haven't had a phishing attack.
The National Cyber Security Centre, or NCSC, explains that phishing is when attackers attempted to trick users into doing the wrong thing, such as by clicking a bad link that will download malware or direct them to an unsafe website.
These phishing attacks often arrive by email, but can also be through phone, text or social media too.
It's also important to make your staff aware of the dangers and what to look out for.

Regularly delete unneeded emails as this means any attacker who does gain access to your systems is going to have much less personal information available to them.

Having up to date backups of your hard drive is important.
Storing these away from your main computer is an effective way of making sure your business' data is still available to you
if you were the subject of a ransomware attack.
Sometimes, however, things don't go according to plan.
Now, if there's been a breach of security and this leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal information, this is known as a personal data breach, or PDB.
In other words, this means something's gone wrong with the personal information you're responsible for, and it's your job to take action.
If this does happen, the first thing you need to do is to consider the implications.
What's the potential risk to the people affected?

Your priority is to take action to reduce or remove that risk whenever possible.
The faster you act, the greater the chance of stopping what may have been a small problem from becoming a big problem.

So having assessed the risk, if you can't say that it's unlikely that people will be affected, you need to report the breach to us at the ICO.
Where possible, you should do this within 72 hours of finding out that something went wrong and give us as much information as you can.
Tell us what happened,
why it happened and what you've done to reduce the risk.

And always keep an internal record of what's happened and look at the steps you can take to stop the same thing from happening again in the future.

So moving on then, we talked about the right to be informed earlier, but there are other rights that people have over their personal information.
It's important that you understand these rights and are aware of the requests that people can make to you.

These individual rights give people a level of control over how businesses use their information.
They include the right to have their data deleted or corrected, the right to stop processing in certain circumstances, and the right to get a copy of the data held about them.
This is known as making a subject access request or a SAR.

In most circumstances, you'll have one calendar month to respond to any information rights requests that are made to you.
So knowing what information you hold and where it's stored can really help to make things quick and easy. We'd recommend putting a process in place for handling these types of requests now, even if you've never received one before. Having a written process to follow can make it easier and save you time once the clock starts ticking.

In this video, we'll focus on subject access requests as we receive lots of questions about these on our live services.
You can receive a SAR from anyone, including a customer, employee or a member of the public captured on your CCTV recording.

Now if someone makes a request about their information, you must comply with that request unless there's a good reason not to.
You can only refuse all or part of the request if you have a compelling reason.
A request can be refused if it's manifestly unfounded or excessive.

But refusing a request on these grounds is a high bar to reach.
So you will need a strong justification that you should document.

A request could be regarded as manifestly unfounded if it's clear the person who's making the request isn't really interested in the information, but has another motive.
For example, if a customer makes a request but then offers to withdraw it in return for some form of benefit, such as a discount on their next purchase. For a request to be considered manifestly excessive, it needs to be clearly or obviously unreasonable.
A person is entitled to request a copy of all the personal information you hold about them.
A request isn't manifestly excessive just because it may involve a large amount of data.
You will need to take into account all the circumstances of the request if you're determining whether it's manifestly excessive.
For example, does it largely repeat or overlap with previous requests made by the same person?
If it does, has a reasonable time elapsed since the last request.

To help you deal with SARS while you hold a large amount of personal information, you could ask the requester to narrow down their request and specifically identify what they're looking for.
This may help you to locate the material that they want.
Having a good retention policy, which we talked about earlier, also helps when it comes to handling SARs. Because you're only keeping the personal information you actually need,
this means that there's going to be less information to search through.

Now it's helpful to note that whilst people can ask for copies of the information you hold about them, this doesn't necessarily entitle them to complete documents.
A common situation is where information that's been requested includes personal information about other people.
We refer to this as third party data. In situations where the requester already knows the information about the third party,
if they have previously seen it, or they can find it online or in the news, it's likely to be reasonable for you to provide it.
But if this isn't the case, the requester may not be entitled to see the third party data.
There are a few things to consider when looking at providing documents that include other people's information.
Firstly, could you remove the third party data so it is no longer identifiable?
You'll need to bear in mind that just removing someone's name may not be enough if there's other information there that can still identify them.
If you can't remove the information relating to someone else, you should consider asking for the third party's consent to provide it.
Be aware that you don't always have to do this.
You may not have the contact details for that third party, or perhaps they shouldn't know that a request has been made.
If seeking consent isn't appropriate or the third party refuses consent, you'll need to decide whether it would be reasonable to disclose their data anyway.

You must provide people with the personal information they're entitled to and withhold anything that they're not.
You can do this by either redacting or blanking out any information that they shouldn't receive.
Or you could collate the information that they are entitled to into a separate document and provide them with that.
You should document your reasoning for any action you take, so you can demonstrate your decision making process and if you're not sure, call us.
We're here to help.

We hope you've found the information in this video useful.
If you need any further help with any data protection queries or issues, we have live services teams to answer your questions.
You can reach us through our helpline, live chat or drop us an email.
Data protection compliance is a journey wherever you are on that journey.
The ICO is here to help.

Setting strong passwords – a useful guide

In this short video, Sarah from the NCSC talks about how to keep people’s information safe online using strong passwords.

Multi-factor authentication – a useful guide    

In this short video Mihaela, the ICO Director of Cyber, talks about how multi-factor authentication can boost your organisation’s cyber security.

Data protection for direct marketing: a two-minute guide

Script for this video

Marketing can be vital to the success of your small business. But if you’re carrying out direct marketing, such as calling someone, sending texts, emails, or personalised letters the data protection rules apply.

Marketing your business in a way that’s lawful, fair and transparent will show that you respect people’s information and can be trusted with it. Here are the three key things you must do:

1. Work out your lawful basis

If you’re using someone’s information, Data protection law calls these ‘lawful bases’. There are six to choose from. When you want to send direct marketing, you’ll probably use either consent or legitimate interests. You can find more guidance on these lawful bases on the SME web hub.

2. Tell people what you’re doing.

People have rights when it comes to how their information is used. If someone gives you their personal details, and you plan to use these to send them marketing, you must let them know.

3. Respect people’s choices

Many people are happy for you to use their information for direct marketing, but others may not be. Be fair - by respecting their choices. Make it easy for people to tell you that they don’t want to receive  marketing from you, such as by adding an ‘unsubscribe’ button to every email you send.

You should keep a ‘do not contact’ list of people who’ve objected, and check it before you start any marketing campaigns.

Marketing your business can cost time and money. Make the most of this by only contacting people who are willing to hear from you.

Soft opt-in for email and text marketing: a two-minute guide

Script for this video

A successful marketing email or text campaign can help you reach a large number of people directly and provide a real boost to your business. In this video we’re talking about the rules when you’re marketing to individuals- that’s the general public. The same rules would apply for sole traders and some partnerships… We’ve got information about B2B marketing rules in the SME Hub”.

There are two ways you can lawfully send marketing emails or texts to people either if people have specifically consented to receiving them, or you can use what’s known as the soft-opt in. One of the most common queries we get from businesses is how to use the soft opt-in. There are five requirements – if you meet all of these then you can use the soft-opt in to send your marketing emails and texts to your customers:

1. You must be contacting your existing customers who’ve either bought or asked about your goods or services in the past. For example, a beautician who’s previously given a customer a manicure, could text them about a special offer on nail extensions. 

2. You must have got someone’s contact details directly from them, rather than from someone else or from a website. So the beautician must have got the customer’s details from them herself, rather than getting these from a local hairdresser.

3. You must be contacting someone about your product or service that’s similar to the one they were interested in. For example, the beautician can contact her customers about her new beauty treatments, but she can’t use the soft opt-in to make them aware of a clothing range she now offers.

4. When you got their details, you must have given them a clear and easy way to opt out of your email and text marketing. For example, the beautician includes an opt out box on the form she asks new clients to complete and they can tick it if they don’t want to get marketing text messages from her.

5. You must give people the chance to opt out in every marketing message you send. For example, the beautician has an unsubscribe link in each of the marketing texts she sends.

By following these rules you’ll unlock the value of the personal information you hold in a responsible way which can help your business succeed. 

Data protection and telephone marketing: a two-minute guide

Script for this video

Whether you’re calling businesses or members of the public, a targeted and well thought out telemarketing campaign can be hugely impactful for your business. In this video we’re talking about the rules when you’re marketing to individuals- that’s the general public. We’ve got information about B2B marketing rules in the SME Hub.

We want to help you comply with the law and make the most of your marketing. Here are our three key requirements for marketing by phone.

1. Check people’s preferences

You can make marketing calls, but you mustn’t call anyone who’s registered with the Telephone Preference Service, known as the TPS. The only exception to this rule is where someone has specifically asked to get these calls from you. You can find more information on the TPS website.

You must also check your own ‘do not contact list’ as you mustn’t call anyone who’s told you they don’t want to receive marketing calls from you.

The rules are different for direct marketing calls about pensions and claims management services, so take a look at our SME web hub if these are relevant to your business.

2. Make it clear that it’s you who is calling

Each time you make a marketing call, your phone number must be displayed and you must tell people who you are and give your contact details if asked.

3. Recognise there are different rules for automated and live calls

If you want to make automated marketing calls, you must have people’s consent to receive recorded marketing messages. Consent to receiving live marketing calls doesn’t count.

By following these rules you’ll be able to reach out to people and grow your business in a reputable way.

Data protection explained in three minutes

Top tips for small businesses in the land and property sector

Data protection in small schools

Data protection for small healthcare organisations

Cyber security guidance for small businesses

Training resources for small businesses

We’ve taken the training ICO staff receive and adapted it for use by small businesses.


We will be updating our guidance and offering support whenever there are developments. You can sign up to our newsletter below to receive information about this and other ICO updates.