Data protection

All businesses must properly handle the personal information given to them by customers. In the UK, the main legislation governing the collection, processing and distribution of personal data is the Data Protection Act 1998 (the DPA) which is enforced by the Information Commissioner's Office (ICO).

Get started

Create your Data protection and data security policy

Answer a few questions. We'll take care of the rest 

Why is this relevant to you?

For individuals: be aware of how information you give to others can be used. You have certain rights relating to data held about you, including:    

  • the right to access the data and be informed about how your data is being processed

  • the right to object to the processing in certain circumstances.    

For business owners: if you handle personal information (and, let’s face it, you are always going to be handling personal information because as a business you have to keep records on your customers), you have a number of legal obligations to protect that information.

What is 'personal data'?

Personal data is information (whether held electronically or physically) relating to individuals only (ie not companies or other organisations) who can be identified from that data (on its own or with other data held). It includes:

  • names

  • addresses (including email addresses)

  • telephone numbers

  • dates of birth

  • job titles.

There is a further category of 'sensitive personal data' which includes information about:

  • racial or ethnic origin

  • political opinions

  • religious or similar beliefs

  • trade union membership

  • physical or mental health or condition

  • sexual life

  • criminal records.  

The DPA’s requirements are even stricter when it comes to sensitive personal data.

What are my obligations if I collect personal information?

You must make sure the information is:

  • used fairly and lawfully

  • used for limited, specifically stated purposes

  • used in a way that is adequate, relevant and not excessive

  • kept for no longer than is necessary

  • kept safe and secure

  • not transferred outside the European Economic Area (EEA) without adequate protection.

These are strict rules known as the 'data protection principles’. How they are interpreted and enforced depends upon the perceived risk of harm arising from failures. Therefore today, if you collect a person’s credit card details, good practice requires that you must keep that data safe and secure at all times and not send it unencrypted. The ICO has guidance on this topic.

Data protection and your business

You must follow the rules on data protection in relation to information you retain about staff, customers and account holders. This applies when, for example, you:

You can find useful information about data protection and dealing with your staff on the government’s website and you can download the Information Commissioner’s advice for organisations.

How do I set about complying with the DPA?

If your business controls any personal data, you will need to register as a data controller with the Information Commissioner.  Details of how to go about this can be found on the Information commissioner’s office’s website.

You should nominate someone within your business to be responsible for ensuring data protection compliance. The compliance officer should become familiar with data protection requirements and audit the organisation’s data processing activities. The compliance officer should also consider drawing up a data protection and data security policy and other guidance to make everyone within the organisation aware of the data protection requirements.

Where you collect personal data through a website, you should build into your website a privacy policy which informs individuals about the proposed processing of their personal data and enables them to consent to this.

Get started

Create your Data protection and data security policy

Answer a few questions. We'll take care of the rest