Small gif

Your customers and employees need to be able to trust you with their personal information or, as the law calls it, their personal data.

Data protection law changes on 25 May 2018

The law on data protection says what you should do when you collect, use, store or do anything else with people’s personal data. This law changes on 25 May 2018. 

The changes reflect the realities of the digital age and the need for people to take more control over their personal data.

So you need to check whether data protection law and the coming changes apply to your business. You can do this by taking the self-assessment below.

Why is data protection important? 

Your customers, employees and other individuals need to be able to trust you to look after and use their personal data properly and safely. Knowing they can trust you is good for your business.

Complying with the rules is also legally required.

Does the new law apply to my business?

Take the self assessment to find out

The new data protection law does apply to your business. You may be thinking...

Why can’t the ICO just tell me exactly what I need to do?

That would be good but there are millions of small businesses in the UK, in many different sectors. They collect different types of personal data from a wide variety of customers, staff and other individuals for many different reasons in many different ways. So it’s impossible for the ICO to produce a to-do list that would be right for every small business. 

But you know your business better than anyone else. So, by making use of our resources and advice, you should be able to work out how to comply with the new law.

If your sector has a professional association or trade body you should look at what information they’re producing about the new law.

OK, so how should I prepare for the new law?

Listen to Information Commissioner, Elizabeth Denham talk you through eight steps you should take now. Or read them in the list below, you can also find a link to more detail on each step at the bottom of the page.


1. Know the law is changing – which you now do, so that’s one thing you’ve done already!

2. Make sure you have a record of the personal data you hold and why.

3. Identify why you have personal data and how you use it.

4. Have a plan in case people ask about their rights regarding the personal information you hold about them.

5 . Ask yourself: before I collect their data, do I clearly tell people why I need it and how I will use it? 

6. Check your security. This can include locking filing cabinets and password-protecting any of your devices and cloud storage that hold your staff or customers’ personal data.

7. Develop a process to make sure you know what to do if you breach data protection rules.

8. Don’t panic: we’re here to help. For example, you can click here to see some frequently asked questions and their answers for several different business sectors. 

View the guide