Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu
Home Blog UK Data Protection – What the law requires from small businesses

UK Data Protection - What the law requires from small businesses

If you’re a new small business owner, or you’ve been trading a while and been busy keeping the business going, you may be wondering what your responsibilities are regarding the personal data that seems to be relentlessly accumulating within your records – customer names and addresses, telephone numbers, email addresses, dates of birth, personal preferences, order details and all the other information that relates to the people you deal with.

Questions may be bouncing around in the back of your mind such as:

  • Am I ok to collect all this information?
  • How long can I keep it for?
  • Do I have to tell anyone about the data I’m collecting?
  • Should I be registering with the government?
  • What happens if I lose the information, or it is stolen?

These are all important points for a small business, and you need to be aware of the answers, so we’ll give you the main points here.

UK Data Protection checklist in computer screen

Data Protection Law in the UK

Since Brexit, there are two main laws that dictate what you can and can’t do with personal data (that is, information that can be associated with a living individual) in the UK. These are the Data Protection Act 2018 and the UK GDPR (General Data Protection Regulation). Compliance with these laws is regulated by the Information Commissioner’s Office (ICO) and their website is a useful source of easily-digested information about all the areas we’re going to outline in this article.

But first there are a couple of extra things we should mention. One is that in 2024 the Conservative UK Government was planning to amend the UK GDPR to make it a bit less stringent, particularly for small businesses, in the form of the Data Protection and Digital Information Bill. But this bill fell at the last hurdle when Rishi Sunak called a general election in July 2024, and we don’t yet know what the next government will do in this area. Watch this space.

The other is that UK data protection law only applies to the personal data of people in the UK; if you have customers in other countries (the EU for example) then you must comply with their data protection laws too. The good news is that there are a set of general principles, which we will outline here, that form the foundation of most such laws and if you follow them, you won’t go too far wrong in any country.

Data Protection Principles

The basic principles of data protection are as follows, with our brief explanation of what they mean:

  • Lawfulness, fairness and transparency – you must have a lawful reason for processing personal data that meets people’s reasonable expectations, and they are aware of what you’re doing.
  • Purpose limitation – use the personal data only for the reason you collected it, and no more.
  • Data minimisation – Only collect the personal data you must in order to achieve your purpose.
  • Accuracy – keep the personal data up to date and correct.
  • Storage limitation – don’t keep the personal data longer than you need to.
  • Integrity and confidentiality (security) – keep the personal data safe.
  • Accountability – take your responsibilities seriously and be able to show that you do.

These principles are generally accepted internationally, including within the EU GDPR. Have a look on the ICO website if you want more information about them.

So now we know the relevant laws and their principles, what about those questions we mentioned at the start of this article? Let’s take them one by one.

Am I ok to collect all this information?

To collect and process personal data you must have a lawful basis to do so. This effectively means a good reason, and there are six to choose from:

  1. Consent – you can ask permission from the person the data belongs to (the “data subject”).
  2. Contract – you need the information to be able to meet your obligations (for example, you need an address to be able to deliver ordered goods).
  3. Legal obligation – the law says you must ask for the information.
  4. Vital interests – the information will help to protect the data subject.
  5. Public task – you need to be able to fulfil your public duties (mainly applies to public bodies).
  6. Legitimate interests – it’s a reasonable thing for you to want to do (often used for tasks like email marketing).

For a small business the most common lawful bases are likely to be Contract and Legitimate interest; you can use Consent too but be aware that the data subject can withdraw consent at any time.

Effectively what you need to do is to look at each instance where you collect personal data and decide on (and document) the most appropriate lawful basis in each case. So, for example at your website checkout it’s probably Contract, when sending follow-up marketing emails it might be Legitimate interest and when asking people to sign up for your newsletter it might be Consent.

How long can I keep it for?

Once you have established why you’re collecting and processing the personal data, you next need to think about how long it’s reasonable to keep it for. There are no hard and fast rules here (apart from where legal obligations apply, such as for accounting or tax purposes), but you do need to make some decisions. Bear in mind that keeping information that is no longer useful to you is a risk to you because if it’s stolen, you’re still liable under data protection law. Having decided how long you will retain data for, you then need to make sure the data does actually get deleted at the right time.

Do I have to tell anyone about the data I’m collecting?

Yes you do. There is a list of information that you must tell the data subject at the point where you collect the personal data (for example on your website). This is part of the transparency principle and should allow the data subject to understand factors such as what is being collected, for what purpose, how long the data will be kept for and what countries it may be sent to. In theory, this allows the person to make an informed decision about whether they want to provide the information, but in practice such privacy notices are seldom read (but still legally required).

Should I be registering with the government?

Yes, unless your organisation is exempt. The ICO is allowed to charge you a fee starting at £35 a year unless you meet a very specific set of exemption criteria. There is a self-assessment wizard to help you decide if that is the case.

What happens if I lose the information, or it is stolen?

If you suffer what is generally termed a “breach” then you may need to report it to the ICO and they may decide to investigate and fine you. In reality fines are rare and usually come about either because the breach was a result of significant negligence or the guilty party didn’t co-operate with the investigation, or both. Often the penalty for a small business is simply a warning and an instruction to take action to improve. In some cases you may be required to tell the data subjects that you have lost their data which to many businesses is a worse penalty than a fine, as it involves significant embarrassment.

In Summary

Even the smallest business in the UK needs to take data protection seriously because the law expects a certain set of tasks to be completed to stay legal. However, once you understand what needs to be done, and you get your head around the personal data you collect and process, it doesn’t need to be an onerous job.

We’ve outlined some of the more common tasks here, but head over to the ICO website to get a fuller picture of your obligations, and don’t forget to pay that fee!

 

Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

 

Published in April 2024 and update in August 2024.

How can CertiKit help with your UK Data Protection requirements?

CertiKit’s UK Data Protection Toolkit includes more than 100 template documents and guides, and comes complete with email support and a lifetime update subscription.

For more guidance on complying to the UK GDPR and other data protection laws post-Brexit, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free UK GDPR Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

I am very pleased to have found you and would like to say thanks for the toolkit, it made my life so much easier.

RFIB Group Ltd
UK

View all Testimonials

Cookie Control

CertiKit uses cookies to improve your user experience. Some are essential for our website to work, but for others you have a choice over which ones you’re happy for us to use.

Please set the controls below to enable or disable the types of cookies shown.

Nice to have cookies
What are these?

Advertising Cookies
What are these?

Cookie Policy