Data Protection For Small Business

data protection for small business
This easy guide to data protection for small business in the UK will give you all the information you need to make sure you’re up to date with legal requirements.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

You’ve probably heard of terms such as GDPR, and you’re most likely wondering what you need to do to comply.

You could be given a heavy fine or made to pay compensation if you misuse personal data or don’t comply with regulations on data protection for small business.

Read-on for everything you need to know. 

In this guide…

As a business owner, whether you have staff or you’re a sole-trader, you’re responsible for protecting the data (personal information) of anyone who comes into contact with your business. This includes customers, account holders, suppliers and staff.

What is personal data?

  • Phone numbers
  • Email addresses
  • Home or business address 
  • Date of birth 
  • Financial information, such as bank details 
  • Health records 
  • CCTV footage
  • Delivery information
  • Staff working hours
what is personal data infographic

Data protection principles

The UK GDPR sets out 7 principles on data protection for small business:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

You can read more about GDPR and these principles here.

Golden rules: Data protection for small business

  1. Holding personal data should be fair and lawful. You should only use this data in ways the person would reasonably expect.

    EG: They have provided you with their email address in order to receive a booking confirmation. 

  2. Explain to people why you hold their data, what you plan to do with it, whether it will be shared with other organisations and why, and how long you’ll store the data before disposing of it.

  3. This is information should be in a document – known as a privacy policy – which should describe your approach to data protection. 

  4. You must also make people aware that they have the right to see the information you hold about them and correct it if it’s wrong; request their data is deleted; request their data is not used for certain purposes (such as marketing).

  5. You have to have a privacy notice (described above) before you collect any information from anyone.

Data protection security

data protection measures
Image: Kaspersky

Compare internet security products here, or read our cyber security guide. You should have security measures in place in order to keep the data safe.

This could be ensuring that all computers are password protected and have antivirus installed, or filing cabinets are locked. The security measures are your choice, but they must be suitable for the sensitivity of the data you hold. 

For example, health and financial records would require a higher level of security. Check out the 10 best ways to protect your business from cyber security threats.

What you have to do: 5 Steps

Here’s what you have to do to comply with regulations on data protection for small business:

  1. Make a list of all the personal data your business holds or is likely to come into contact with 

  2. Create a privacy policy and make sure you get the persons permission before collecting data (discussed above)

  3. Make sure the data you hold is secure (as discussed above)

  4. Tell the Information Commissioner’s Office (ICO) how your business uses personal information

  5. Respond to a data protection request, if someone asks to see what information you have about them

Responding to a data protection request

You could receive a fine if you don’t respond to the request or provide the information requested!

According to guidance set-out by the UK Government, if someone asks to see the data (information) your business holds on them, this is what you have to do. You must respond to their request within one month, and provide the information free of charge.

Before you respond with the information requested, you must check the identity of the person making the request and remove any data which does not relate to them. You must provide confirmation that you are processing their personal data, a copy of the data, details of how the data is collected, used and disposed of

You must respond to them in writing or by email if they have submitted the request via email and have agreed to receive correspondence by email. Your response should be clear, easy to read and understand.

Recruitment and managing staff records

You must keep any data you collect on staff secure – lock paper records in filing cabinets or set passwords for computer records, for example. Only keep the information for as long as you have a clear business need for it, and dispose of it securely afterwards – by shredding, for example.

A low cost HR software is a great way to keep staff and applicant details stored safely. Compare HR software for small business here.

Any data you collect on staff or applicants must be kept secure. Lock paper records in filing cabinets or use a secure cloud storage system for digital documents. You should only keep the information for as long as you have a clear business need for it, and make sure you dispose of it securely afterwards.

Your staff have the right to ask for a copy of the information you hold on them. This includes information about grievance and disciplinary issues. If a staff makes a request to see this data, you must respond to their request within 30 days.

Recruitment records

You must give your business name and contact details (or those of the recruitment agency) on job adverts. You should only collect the information you need on digital or written application forms.

Don’t ask for irrelevant information. You should securely dispose of data you no longer require.

Create a privacy policy

As discussed earlier, when processing personal data, you must inform people what you are doing with it. This needs to be in a document called a privacy policy or privacy notice.

You can make this available on your website or as a paper copy.

Here’s a free privacy policy template you can download from the Information Commissioners Office. For more information or advice on data protection for small business contact the Information Commissioner’s Office (ICO).

Did this guide to data protection for small business help you? If so please recommend DigitalSupermarket.

Compare Secure Cloud Storage

More To Explore