If you’re running a business, chances are you’re also dealing with personal information. Whether that’s details about customers, suppliers, or your own staff, it’s important to follow certain data protection regulations.
Read on to understand more about the Data Protection Act (DPA), UK GDPR and the key principles you need to be aware of as a small business.
The pandemic brought everything online, but with that came additional data privacy challenges. App-based ordering in pubs, teaching on Zoom, and contact tracing has meant organisations and third-parties are collecting more of our personal data. But the UK’s privacy body, the Information Commissioner’s Office (ICO), has reminded people that they have a choice whether to hand over their personal data.
Learn more about how to navigate these data protection challenges as a small business in our simple guide:
The Data Protection Act 2018 is a piece of UK legislation that’s designed to protect the privacy of personal data. It replaces the Data Protection Act 1998 and now incorporates GDPR legislation into UK law.
In essence, the law aims to:
1. Give citizens and residents more control of their personal data – everyone has a right to find out what information the government and organisations hold about them.
2. Simplify regulations for all businesses to help them protect personal data – making sure that information is used lawfully, fairly, and transparently.
Although you may think that this only applies to larger companies, in fact most businesses hold some personal data – for example customer contact details, or HR information about staff.
If you do use or store personal information, and this information relates to someone that can be identified, you're referred to in the Act as a ‘data controller’.
The European General Data Protection Regulation (GDPR) came into force in the UK in May 2018. However, since the UK left the European Union and the transition period ended on 31 December 2020, the GDPR has now been incorporated into the Data Protection Act 2018.
You may need to comply with both the UK GDPR and the EU GDPR if your business operates in Europe, or you offer goods or services to people in Europe.
The Data Protection Act 2018 and UK GDPR applies to any business established in the UK.
The main question to ask yourself is, how often does your business deal with personal data? This includes your customer data of course, but have you factored in supplier data? Past and present employees?
If you’re collecting any of this data routinely, you need to comply with the UK GDPR, whether the data is stored on a spreadsheet, your computer, mobile phone, or in the cloud. It applies for both manual data collection and automated digital capture.
Even as a small business you must follow the law and take responsibility for handling personal data. Beyond that, it can help you demonstrate to potential and existing customers that you’re doing everything you can to protect their data from being lost, stolen, damaged, misused, or shared – this level of trust is invaluable and could even help you bring in more business.
The Data Protection Act 2018 offers stronger legal protection for more sensitive information, such as:
Generally, you’ll need explicit consent from individuals if you want to collect or process sensitive information.
As an employer, you'll have a number of unique responsibilities. Firstly, workers have a legal right to access information that their employer may hold on them.
Meanwhile, employers should also make sure that staff comply with data protection regulations in their day-to-day work, and have a duty to monitor the likes of telephone calls, emails, and CCTV where necessary.
Data controllers have a series of important responsibilities, and must follow the seven data protection principles.
If your organisation deals with personal data, you must consistently act in accordance with the seven key principles set out in the DPA.
This is among the most important requirements of the DPA. To comply, you must provide people with the name of your business, and details of how their information will be used. You should make it clear that the individual can access and correct the information that you hold about them.
Crucially, you must also tell them if the information will be used in any way that’s not immediately obvious. For example, you must tell the individual if their details will be passed on to credit reference agencies.
You must be clear why you’re collecting someone’s personal data and how you intend to use it. This clearly links to the lawfulness, fairness, and transparency principle mentioned above.
You can’t use the data collected for another, ‘incompatible’, or unlawful purpose. For example, if your purpose changes over time and this isn’t ‘compatible’ with the original purpose, you’ll need to get the individual’s specific consent for the new purpose.
You should only collect the bare minimum; you may not collect information that isn’t immediately relevant to the specified purpose, and you may not collect more information than you need.
Any information you hold must be factually accurate, and updated where necessary. Depending on the nature of your business, you may need to develop mechanisms that allow people to update their details quickly.
This storage limitation principle states that you shouldn’t keep data any longer than needed. If you collected data for a purpose that’s time-limited then you should make sure that the information isn’t retained beyond that point. Reducing how long you hold data also helps you to reduce the risk of storing personal data that’s inaccurate or out of date.
It’s good practice to tell people how long you intend to keep the data for and you might find it useful to set retention periods for your data.
You must take adequate steps to maintain the integrity and confidentiality of personal data. Having an information security policy in place can help demonstrate that you’re looking after personal data and reducing the risk of it being compromised.
This final principle sets out the law when it comes to accountability. As a data controller, you’re responsible for what you do with personal data and must demonstrate how you’re looking after people’s privacy.
More information on the GDPR principles can be found on the ICO website.
Here are some key things to think about when it comes to collecting individual’s data:
Ultimately, consent should put individuals in control, build trust and engagement, and enhance your reputation.
As well as following the key principles above, you may also need to pay a data protection fee to the Information Commissioner's Office (ICO). The DPA works on the basis that all data controllers notify the ICO, but there are some exemptions. If you’re not exempt but you fail to notify the ICO, you risk prosecution.
You may be exempt if you only process personal data for one (or more) of the following purposes:
You can use the ICO's online checker tool to see if your business is exempt from registration. Even if you’re exempt from paying a fee, you still need to comply with other data protection obligations.
If you do need to register, you’ll need to pay a data protection fee. Registration generally costs between £40 and £60 a year.
If you don’t comply with the Data Protection Act, you could face serious penalties. The maximum fine under UK GDPR and the DPA is now £17.5 million or four per cent of the total annual worldwide turnover in the preceding financial year, whichever is higher.
1. Know your data
Demonstrate an understanding of the types of personal data you’re holding (such as name, address, email, bank details, photos, IP addresses) and sensitive data (for example health details or religious views), as well as where the data is coming from, where it’s going and how it’ll be used.
2. Identify when you’re relying on consent
If you’re relying on personal consent to process personal data (for example, as part of your marketing) then you need to be clear, specific, and explicit as to your purpose.
3. Review your security measures
Make sure you have strong security measures and policies. Broad use of encryption, for example, could be a good way to reduce the risk of a security breach.
4. Meet access requests
Everyone has a right to access any personal data you may hold. The right of access under GDPR states that you must respond to a request within one month. This can only be extended in mitigating circumstances.
5. Train your employees
Staff should report a serious personal data breach within 72 hours. Make sure that everyone knows the process for reporting and who to report a breach to.
6. Conduct due diligence on your supply chain
Make sure your suppliers and contractors are compliant with UK GDPR to avoid being impacted by any breaches.
7. Regularly review your privacy policies
People have a right to be informed of how you’re using their personal data. This should be included in your privacy policies and information should be reviewed regularly to make sure it’s up to date.
8. Check if you need to employ a Data Protection Officer
Most small businesses will be exempt. However, if your company’s core activities involve ‘regular or systematic’ monitoring of data subjects on a large scale, or which involve processing large volumes of sensitive data, you must employ a Data protection Officer.
For more information, check out these resources from the ICO:
If you’re not sure about anything, seek guidance from the Information Commissioner’s Office (ICO), or from an independent legal professional.
Is there anything else you’d like to know about data protection? Let us know in the comments.
With Simply Business you can build a single self employed insurance policy combining the covers that are relevant to you. Whether it's public liability insurance, professional indemnity or whatever else you need, we'll run you a quick quote online, and let you decide if we're a good fit.Start your quote
We create this content for general information purposes and it should not be taken as advice. Always take professional advice. Read our full disclaimer
6th Floor99 Gresham StreetLondonEC2V 7NG
Sol House29 St Katherine's StreetNorthamptonNN1 2QZ
© Copyright 2021 Simply Business. All Rights Reserved. Simply Business is a trading name of Xbridge Limited which is authorised and regulated by the Financial Conduct Authority (Financial Services Registration No: 313348). Xbridge Limited (No: 3967717) has its registered office at 6th Floor, 99 Gresham Street, London, EC2V 7NG.