Practical advice on how data protection affects your business, including keeping employees’ and customers’ personal information secure.

Helping you comply with your responsibilities to information rights in your small or medium sized business.

Data protection – looking after the information you hold

If you hold and process information about your clients, employees or suppliers, you are legally obliged to protect that information. Under the Data Protection Act, you must:

  • only collect information that you need for a specific purpose;
  • keep it secure;
  • ensure it is relevant and up to date;
  • only hold as much as you need, and only for as long as you need it; and
  • allow the subject of the information to see it on request.

Data protection self assessment toolkit 

Our data protection self assessment toolkit can help you assess your compliance with the Data Protection Act and find out what you need to do to. We have a seven checklists covering a number of areas of compliance including Getting ready for the GDPR, Information Security and CCTV.  

Good information handling makes good business sense, and provides a range of benefits. You'll enhance your business's reputation, increase customer and employee confidence, and by ensuring that personal information is accurate, relevant and safe, save both time and money.

Data protection guidance for small businesses


If you do telephone, email or other electronic marketing then you need to comply with the Privacy and Electronics Communications Regulations.

For further information for small businesses, see our direct marketing checklist or  our guidance on direct marketing.

Environmental businesses

If your business is concerned with the environment, for example if you're a setting up or running a recycling business, you'll also need to make sure you comply with the environmental information regulations.

Registration with the ICO

If you handle personal information, you may need to register as a data controller with the ICO. Registration is a statutory requirement and every organisation that processes personal information must register with the ICO, unless they are exempt. Failure to register is a criminal offence.

If you are not sure if you need to register with the ICO you can complete our registration self-assessment.

Good practice

While businesses are responsible for what they do, some trade bodies and industry associations have developed industry standards or can give good practice tips specific to your sector.

We've published a report detailing some of the good practice and areas for improvement we have seen in the private sector.