The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This blog has been written for small organisations, sole traders and small business owners who are interested in finding out how the ICO can help them.

Our dedicated helpline and live chat service should be your first port of call if you can’t find the answers you need on our data protection hub for small organisations.         

The hub is packed with bite-sized information, tips and guides written with small organisations in mind.

It has all the information you need to get started with data protection,  improve your compliance and learn how to be accountable, despite the limited resources you have at your disposal.

Often, small organisations want to innovate, so there won’t always be a template to follow. That’s why our advisors are here to help.

We welcome calls from all small organisations, including:

  • companies;
  • sole traders;
  • charities;
  • societies;
  • associations;
  • voluntary groups; and
  • anything in between.

Our friendly and knowledgeable helpline and live chat advisors are here to help with queries on everything from data protection and electronic communications through to freedom of information, coronavirus and the end of the transition period now that the UK has left the EU.                   

Three of our advisors have shared their top data protection tips for small organisations.

Sharon Boot has been at the ICO since 2015. 

She says it’s important to get the basics in place:

“The best way we can help any small business achieve compliance is to start with the basics. Get those right and the rest will follow much more easily.

“I take a lot of calls from small business owners who ask what they need to do to comply with data protection law. Even though it’s a really open-ended question, I’m trained to help them go from knowing nothing, to having a pretty good understanding of the basics and what they need to do next by the end of the call.

“Whenever I get one of these calls, I always start off by asking these five questions:

  • Do you know exactly what types of personal information you have about people and where it’s saved?
  • Do you know what you use this information for?
  • Do you know how long you keep it?
  • Have you told people why you’ve got it?
  • Are you confident you’re keeping it safe?

“If the caller answers “no” to any of these, I can hear they’re worried. They’re probably thinking I’m about to call them out or trip them up – but nothing could be further from the truth. It’s my job to help them get it right.

“The ICO has a helpful guide on ‘Getting started with data protection – top tips for beginners’, which is worth a read if you’re new to this.”

Rasa Litvinaviciute has been at the ICO since 2018.                        

She says the only ‘silly’ question is the question you don’t ask:

“In my experience advising small organisations, there are no ‘silly’ questions. You’re not expected to know everything. If you’ve called us, it’s because you’re trying to get it right and we want to help if you get stuck.

“Our phone lines do get busy, so it’s always worth checking our data protection hub for small organisations to see if the answer you need is there. We have a range of toolkits, guides and other resources to help you. If not, give us a call or start a live chat.

“We get such a wide variety of questions on our helpline, there aren’t many that surprise us. So even if you think your issue is simple, unique or even contentious, don’t be put off calling. You’ll need advice sooner or later, so please don’t wait.

“I always find it easier to help small organisations who are just starting out, because data protection falls into place easily if you get it right first time around. But even if you end up playing catch-up, we can still help you find your way through.”

Sarah Elias has been at the ICO since 2007.

She says if things go wrong, talk to us:

“If you experience a personal data breach, it can be stressful  figuring out what to do if you’re not familiar with the ICO’s guidance. But we have lots of experience with these situations, which callers find reassuring.

“There are two questions that need answering: has there been a breach, and what’s the risk? While you have to report some types of personal breaches to us within 72 hours, you can get advice from us before you formally report it.

“We take a lot of calls where the caller isn’t sure whether they’ve had a breach or not – and that’s fine. We can talk you through what you need to consider and the important steps you need to take, such as addressing the problem and minimising the risk to anyone affected.

“The ICO has a guide on how to deal with a personal data breach, which we wrote with small organisations and sole traders in mind.

“Rather than wait until you have a breach, have a look at our guidance before you need it. That way, you’ll be much better prepared.”