Data protection: key responsibilities for small businesses

The Information Commissioner’s Office (ICO) was recently given the power to fine small businesses up to £500,000 for breaches of the Data Protection Act. As a small business owner it is highly likely that you will have some data protection responsibilities – and yet, despite the severe penalties, many business owners are unaware of their obligations.

The Data Protection Act 1998 sets out the obligations conferred upon organisations that handle personal information. Most businesses hold some personal data, for example about customers or employees. If you do, and this information relates to someone that can be identified, you are referred to in the Act as a ‘data controller’.

Data controllers have a series of important responsibilities, and must abide by the eight data protection principles.

The eight key principles

If your organisation deals with personal data, you must ensure that you consistently act in accordance with the eight key principles set out in the Data Protection Act. The principles state that personal information must:

be processed fairly and lawfully

This is among the most important requirements of the Act. In order to comply, you must provide individuals with the name of your business, and details of the purpose for which their information will be used. You should make clear that the individual can access and correct the information that you hold about them.

Crucially, you must also tell them if the information will be used in any way that is not immediately obvious. For example, you must tell the individual if their details will be passed on to credit reference agencies.

be processed for specified lawful purposes

You must have a specified, lawful reason for collecting data; you cannot simply collect it speculatively. Furthermore, you cannot use the data collected for another, “incompatible” or unlawful purpose.

be adequate, relevant and not excessive

You should only collect the bare minimum; you may not collect information that is not immediately relevant to the specified purpose, and you may not collect more information than you need.

be accurate and up to date

Any information you hold must be factually accurate, and updated where necessary. Depending on the nature of your business, you may need to develop mechanisms that allow individuals to update their details quickly.

not be kept for any longer than is necessary

If the purpose for which you collected the data is time-limited, you must ensure that the data is not retained once it is no longer needed. Where applicable, you should tell individuals how long the data is likely to be retained for.

be processed in accordance with the rights of individuals

The Act sets out the rights of individuals, as well as the responsibilities of data controllers. You should make sure that you understand these rights, and act in accordance with them.

be kept secure

You must take adequate steps to ensure the security of the data. This means that it should be safe from tampering, loss, or unlawful processing. You may need to develop both technical and organisational processes to help you deal with this obligation.

not be transferred outside the European Economic Area without adequate protection

Data may only be transferred out of the EEA if the country to which it is being transferred has adequate legal protection for individuals and their details.

Should you notify the ICO?

As well as ensuring that you abide by the eight key principles, you may also be required to notify the ICO of your activities. The Act works on the basis that all data controllers are required to notify, but some exemptions are available. If you are not exempt but you fail to notify the ICO, you risk prosecution.

You may be exempt from the notification requirement if:

  • you only process data for the purposes of: staff administration; payroll; advertising, marketing and PR that are directly related to your own business activities; or accounts and record-keeping
  • yours is a not-for-profit organisation
  • data is only being processed for personal, family, or household affairs
  • you only process data in order to maintain a public register
  • or if no automated system, like a computer, is used in the processing of data


If you do not qualify for an exemption, you must notify the ICO. You can do this online, through the ICO website, or by calling the Notification Department on 01625 545 740.

The new penalties for non-compliance mean that it is more important than ever for small and medium sized enterprises (SMEs) to abide by their data protection obligations. If you are in doubt, you should seek advice from the Information Commissioner’s Office, or from an independent legal professional.