The Information Commissioner’s Office has produced practical advice on how to comply with data protection law and how to improve data protection practices in your business, including how to keep employees’ and customers’ personal information secure.

The General Data Protection Regulation

The ICO has produced a package of tools and resources to help businesses, from sole traders to medium sized organisations, comply with their legal obligations under the new law that came in on 25 May 2018.

These resources include:

General Data Protection Regulation FAQs

We have created GDPR FAQs for small hospitality businesses and small retailers.

Data protection self-assessment toolkit 

Our data protection self-assessment toolkit can help you assess your compliance with the Data Protection Act and find out what you need to do to. We have a seven checklists covering a number of areas of compliance.

Good information handling makes good business sense, and it provides a range of benefits. You'll enhance your business's reputation, increase customer and employee confidence, and by making sure personal information is accurate, relevant and safe, save both time and money.

This toolkit has been designed for small and medium businesses. It is probably not suitable for micro businesses.

Marketing

If you do telephone, email or other electronic marketing then you need to comply with the Privacy and Electronics Communications Regulations.

For further information for small businesses, see our direct marketing checklist or  our guidance on direct marketing.

Environmental businesses

If your business is concerned with the environment, for example if you're a setting up or running a recycling business, you'll also need to make sure you comply with the environmental information regulations.

Data protection fee

If you handle personal data, you will probably need pay a fee to the ICO. If you are unsure if you need to pay you can take our quick self assessment to find out. Paying the data protection fee is a statutory requirement and every organisation that processes personal information must pay it, unless they are exempt. Failure to pay is a civil offence.