This easy guide to data protection for small business in the UK will give you all the information you need to make sure you’re up to date with legal requirements.
You’ve probably heard of terms such as GDPR, and you’re most likely wondering what you need to do to comply.
You could be given a heavy fine or made to pay compensation if you misuse personal data or don’t comply with regulations on data protection for small business.
Read-on for everything you need to know.
In this guide…
- What is personal data?
- Data protection principles
- Golden rules: Data protection for small business
- Data protection security
- What you have to do: 5 steps
- Responding to a data protection request
- Recruitment and managing staff records
As a business owner, whether you have staff or you’re a sole-trader, you’re responsible for protecting the data (personal information) of anyone who comes into contact with your business.
This includes customers, account holders, suppliers and staff.
What is personal data?
- Phone numbers
- Email addresses
- Home or business address
- Date of birth
- Financial information, such as bank details
- Health records
- CCTV footage
- Delivery information
- Staff working hours
Data protection principles
The UK GDPR sets out 7 principles on data protection for small business:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Golden rules: Data protection for small business
- Holding personal data should be fair and lawful. You should only use this data in ways the person would reasonably expect.
EG: They have provided you with their email address in order to receive a booking confirmation.
- Explain to people why you hold their data, what you plan to do with it, whether it will be shared with other organisations and why, and how long you’ll store the data before disposing of it.
- You must also make people aware that they have the right to see the information you hold about them and correct it if it’s wrong; request their data is deleted; request their data is not used for certain purposes (such as marketing).
- You have to have a privacy notice (described above) before you collect any information from anyone.
Data protection security
You should have security measures in place in order to keep the data safe.
This could be ensuring that all computers are password protected and have antivirus installed, or filing cabinets are locked.
The security measures are your choice, but they must be suitable for the sensitivity of the data you hold.
For example, health and financial records would require a higher level of security.
Check out the 10 best ways to protect your business from cyber security threats.
What you have to do: 5 Steps
Here’s what you have to do to comply with regulations on data protection for small business:
- Make a list of all the personal data your business holds or is likely to come into contact with
- Make sure the data you hold is secure (as discussed above)
- Tell the Information Commissioner’s Office (ICO) how your business uses personal information
- Respond to a data protection request, if someone asks to see what information you have about them
Responding to a data protection request
You could receive a fine if you don’t respond to the request or provide the information requested!
According to guidance set-out by the UK Government, if someone asks to see the data (information) your business holds on them, this is what you have to do.
You must respond to their request within one month, and provide the information free of charge.
Before you respond with the information requested, you must check the identity of the person making the request and remove any data which does not relate to them.
You must provide confirmation that you are processing their personal data, a copy of the data, details of how the data is collected, used and disposed of
You must respond to them in writing or by email if they have submitted the request via email and have agreed to receive correspondence by email.
Your response should be clear, easy to read and understand.
Recruitment and managing staff records
You must keep any data you collect on staff secure – lock paper records in filing cabinets or set passwords for computer records, for example.
Only keep the information for as long as you have a clear business need for it, and dispose of it securely afterwards – by shredding, for example.
Any data you collect on staff or applicants must be kept secure.
Lock paper records in filing cabinets or use a secure cloud storage system for digital documents.
You should only keep the information for as long as you have a clear business need for it, and make sure you dispose of it securely afterwards.
Your staff have the right to ask for a copy of the information you hold on them.
This includes information about grievance and disciplinary issues.
If a staff makes a request to see this data, you must respond to their request within 30 days.
You must give your business name and contact details (or those of the recruitment agency) on job adverts.
You should only collect the information you need on digital or written application forms.
Don’t ask for irrelevant information.
You should securely dispose of data you no longer require.
As discussed earlier, when processing personal data, you must inform people what you are doing with it.
You can make this available on your website or as a paper copy.
For more information or advice on data protection for small business contact the Information Commissioner’s Office (ICO).
Did this guide to data protection for small business help you? If so please share it!