Data Protection


As a business owner, protecting the data of you customers is very important and the failure to provide adequate protection and notify the relevant authorities, where necessary, can result in serious criminal consequences.


Data protection rules

You must make sure the information is kept secure, accurate and up to date.

For example, when you collect someone’s personal data you must tell them:

  • who you are
  • how you’ll use their personal information
  • they have the right to see the information and correct it, if it’s wrong

Also say if the information will be used in other ways – e.g. if it may be passed to other organisations.


When do I need to notify the ICO?

The ICO advises that you will need to notify them if you are holding people’s personal information, unless it’s for your own personal use.

Who is the data controller?

Whoever in your organisation processes personal information; they will be deemed the data controllers.

If I need to notify the ICO, what do I do next?

If you are required to notify the ICO, you will have to complete their notification form and pay the required fee, which, if you are a small business, is only £35.

There are certain organisations who do not need to notify the ICO even if they are processing personal information. The ICO identifies these individuals as those who only have personal information for:

  • staff administration (including payroll);
  • advertising, marketing and public relations for your own business; or
  • accounts and records (some not-for-profit organisations)

Click here to view the Information Commissioner’s Guidance to help you comply with the Data Protection Act 1998.


Subject access requests

Subjects are those individuals whose personal information you have processed. They have a legal right under the Data Protection Act 1998 to request access to their data that you hold.  If you receive a subject access request, you are under a legal obligation to answer them within 40 calendar days.  You are free to charge up to £10 for each formal request.

Click here to view the ICO’s guidance on handling subject access requests.

Note: You will need to be aware of the new rules on cookies introduced by the amended Privacy and Electronic Communications Regulations. Websites must obtain informed consent from visitors before saving cookies on their machine to track their behaviour. You may have already noticed that when you visit most websites, there is usually some form of notification or pop-up banner requesting your consent to allow them to track your behaviour with cookies.