The ICO exists to empower you through information.

Latest updates - last updated 7 August 2023

7 August 2023 - We've updated this guidance to reflect the ICO's must, should, could terminology and provide regulatory certainty. We've also changed the title in line with our new approach.

This handy guide to data protection covers some of the key points you need to know and think about when getting started. It directs you to the resources and assistance we provide to support you in using personal information confidently and securely to help your business thrive.

To help you understand what the law says and what we expect, this guidance tells you what organisations must, should, and could do to comply.

Where we say must, this means you’re required to do this by law. 

Should doesn’t refer to a legal requirement. But it’s what we expect you to do, unless there’s a good reason not to. If you choose to take a different approach, you must be able to demonstrate this also complies with the law.

Could refers to an option or example you could consider to help you comply with the law effectively.


Any personal information your business holds needs to be used fairly and securely in line with data protection laws. This information could be names, addresses, emails, telephone numbers, and bank or credit card details. It can also include more sensitive information, such as people’s health data or their criminal records.

Keeping personal information secure, and using it responsibly, protects your reputation and helps prevent potential harm or distress to people. Good information management also helps maintain your customers’ trust, which makes good business sense.

There’s no one-size-fits-all when it comes to data protection. Your business is unique and you know it best. This guide will help you decide what to do with the personal information you hold.

Step one: Make a list

You’ll probably have personal information saved on your phone, tablet or computer to enable you to do your job – such as the names and contact details of customers, members or clients.

Start off by making a list of what personal information you have, or plan to collect, even if you don’t have much at first. For this list, you should be generalising types of information such as ‘phone numbers of customers’, rather than listing actual phone numbers.

Data protection laws don’t apply when you’re using personal information for purely personal or household activities, so you can ignore things like your family photo album and personal holiday planning calendar.

Step two: Ask yourself ‘why do I need this information?’

Think carefully about your reasons for having personal information. You must only collect what you actually need, and shouldn’t ask for or keep anything ‘just in case’.

If you’re holding or using people’s information, it must always be fair as well as lawful. This means you should only use their data in ways they’d reasonably expect. For example, if you have a customer's telephone number to arrange a delivery, it wouldn't be fair to use that number to call them for personal reasons - they wouldn't expect you to do that.

You also need a valid reason, known as a ‘lawful basis’. There are six types of lawful basis you can use. Use our lawful basis checker to find out which you can rely on, and keep a record of your decision.

Step three: Think security

People care about their information and you must take steps to protect it. Check your security measures line up with the sensitivity of the personal information you hold. You must put stronger measures in place if the information is sensitive or poses a higher risk for the person it relates to. For example, financial information that could be used for fraudulent purposes.

It’s up to you to decide which measures are appropriate for your business, but this could include things like locking filing cabinets and putting strong passwords on your devices.

Step four: Be transparent

You must tell people why you need their data, who you’ll share it with and how long you’ll keep it for.

For example, as an estate agent, you may share the seller’s information with the purchaser’s solicitor so necessary documents can be completed. You must tell people you’re going to do this.

Having a privacy notice is a great way to be transparent. We have a handy privacy notice template you can use. You must review your privacy information regularly and keep it up to date.

Step five: Respond to people’s data protection rights

People have rights in relation to their information. For example, they can ask you to delete it, challenge the accuracy of it and object to what you’re doing with it. People can also ask you to provide a copy of their personal information – known as a subject access request (SAR).

Putting a process in place for handling individual rights requests can save you time in the long run. It’s worth doing this, even if you’ve never received a request before. Take a look at our step-by-step guide on how to deal with a request for information.

Step six: Know how to handle personal data breaches

If any personal information you’re responsible for is lost, accidentally destroyed, altered without proper permission, damaged or disclosed to someone it shouldn’t have been, this could be a personal data breach. This could be as a result of a cyber-attack, flood, fire or theft.

Where this happens, you’ll need to act quickly and you may need to report it to us within 72 hours.

It makes good business sense to put an action plan in place sooner rather than later. We’re here to help. We have guidance on how to respond to a personal data breach and understanding and assessing risk in personal data breaches to help you.

Step seven: Check if you need to register with us

Many small businesses must register with us and pay a data protection fee. For most businesses, the fee is £40 per year. You can check whether you need to register by using our self-assessment tool.

Step eight: Set some reminders

Data protection compliance is a journey, and we’re here to help as your business grows. We regularly update our website to help you improve your data protection compliance. Setting regular reminders to check our news and guidance pages will help keep you on track.