Guide 8 min read
1. Data protection legislation
Data protection legislation are the laws that govern how personal information is collected, stored, used and shared.
In the UK, the legislation that governs data protection are the Data (Use and Access) Act 2025, the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations (PECR), and the Data Protection Act 2018.
If you run your business internationally or have a website that can attract international traffic, then you may need to comply with other data protection regulations. For example, if you offer goods or services to people within the European Economic Area, or monitor their behaviour (e.g. with tracking on your website), the EU General Data Protection Regulation may also apply to you.
2. Identify if data protection laws impact your business
It is important to understand what is categorised as personal data and how to manage it properly. Personal data is anything that enables you to identify an individual directly or indirectly. Almost all small businesses process personal data.
For example:
-
if your customers can order online, and you gather their name, address, email and maybe phone number to fulfill their order
-
if you are a shop with CCTV capturing images of customers
-
if you have a contacts list of your customers, contacts or suppliers
-
if you have a website that runs cookie-based tracking or if you have a contact form on your website.
Also, any business with employees will process personal data confirming their identity, right to work, next of kin, CV, as well as anything related to performance management etc.
The Information Commissioner’s Office (ICO) is sponsored by the Department for Science, Innovation and Technology, and is the regulator for data protection and information rights legislation in the UK. It ensures all organisations - businesses, charities and public sector bodies - comply with data protection laws and aims to empower them to achieve this. The ICO can issue fines for infringements of data protection law.
The ICO has simple interactive tools to help small businesses quickly assess:
3. Understand the concepts of data protection
To comply with your obligations, first you need to understand the basic concepts of data protection. It’s important to read and understand the ICO’s definitions of all of these concepts, which they specifically tailor for small businesses.
What is defined as personal data?
Personal data is any information that relates to an “identified or identifiable individual”. This includes more general data that identifies an individual such as:
-
name
-
address
-
email address
-
identification number
-
location data
-
online identifier (such as IP address and some tracking cookie identifiers)
-
other identifying factors.
Personal data also includes “special categories” that need extra care and protection. This is data related to:
-
racial or ethnic origin
-
political opinions
-
religious or philosophical beliefs
-
trade union membership
-
genetic, biometric and health data
-
as well as sex life and sexual orientation.
Who’s who and their responsibilities?
You need to be aware of the difference between data subjects and the organisations that are data processors, data controllers or joint data controllers, and which role your business is taking for each data processing activity.
Data controllers accept more responsibility than data processors.
-
Data subjects - the individuals whose data you process - e.g. your customers, staff, donors, website users, suppliers, etc.
-
Data controllers - the person or legal entity (such as a limited company, sole trader, public authority, etc) which makes decisions about what personal data to collect, why it is to be collected and how it will be used.
-
Data processors - the person or legal entity (such as a limited company, sole trader, public authority, etc) which processes personal data on behalf of the data controllers.
To understand more about whether you are a controller or a processor, see the ICO definitions and see the ICO checklist.
How to determine your data processing is valid
You must identify one of the six lawful bases for you to be able to process data. These are:
-
consent
-
contract
-
legal obligation
-
vital interests
-
public task
-
legitimate interests.
The eight rights of individuals
You need to understand how individual rights apply to your lawful basis for processing so you don’t infringe those rights.
These rights apply in many (but not all) circumstances and include being able to:
-
be informed about how you’re using their data
-
access the data you hold on them
-
object or withdraw consent
-
correct inaccuracies
-
have their data erased
-
have the processing of their data restricted
-
transfer their data to another controller (portability)
-
have human involvement in automated decision making and profiling
What is classed as a personal data breach
This includes a breach around security of data impacting confidentiality, integrity or availability of the data for example if it is:
-
disclosed to others when it should not have been
-
lost
-
accidentally destroyed
-
altered without permission
-
damaged.
If such an incident could risk people’s rights and freedoms, you will need to report a breach to the ICO - this interactive breach assessment tool will help you assess if this is necessary.
4. The seven principles of data protection
There are seven principles of data protection which cover all processing of personal data, throughout your overall approach, gathering, use and storage of data.
Overall approach
Lawfulness, fairness and transparency
You must ensure you comply with the law and you have told people about what data you are processing and how you’re processing their data.
-
The ICO has an interactive guidance tool to help you identify the lawful basis that may apply to your processing.
-
They also provide advice for small businesses about cookies and privacy notices on your websites and online platforms, and cookie consent. This includes a tool to assess whether you are sufficiently transparent and a privacy notice generator which may help you produce your own privacy notice without having to pay a specialist.
Accountability
You must take responsibility for complying with regulations, respect the rights of individuals and keep records to demonstrate your compliance. The ICO has advice to help you, for example:
-
training and resources for your staff
-
how to fix common mistakes
-
how to handle complaints about your processing of personal data
-
how to respond to a subject access request (SAR) where a data subject requests all the data you hold relating to them and how to assess what you need to do
-
assessing how prepared you are to respond to data breaches, being aware of how to handle data breaches, and how to assess if you need to report them to the ICO.
Gathering and using data
Data minimisation
You must gather enough relevant data to fulfil your stated purpose but only gather personal data that you actually need for that purpose.
Accuracy
You must ensure the personal data you gather is correct and updated as necessary.
Purpose limitation
You must record the purpose you are gathering data, include that in your privacy information, and only use data for the reasons you collected it to prevent “function creep”.
Storing data
Integrity and confidentiality (security)
The data must be stored securely and you must be able to access it.
The ICO has detailed advice on information security including quick wins, and has a checklist for small businesses to assess their security measures for storing personal data.
Storage limitation
You must only keep personal data as long as you need it, then securely destroy it or delete it. The ICO has information on the practical steps to destroy documents which requires careful consideration to ensure data is removed from various devices and types of media, and forgotten areas like recycle bins. This may involve using specialist deletion software to overwrite data.
Find out more and access checklists about the seven data protection principles.
5. Stay up to date and get advice
The Data Use and Access Act 2025 (DUAA) is being phased in which amends elements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
It aims to promote innovations and economic growth and make things easier for organisations while still protecting people’s rights. This includes making the use of data a bit easier for scientific research and automated decision making as well as website cookies for statistical purposes and to improve your website functionality. The ICO will issue new guidance covering these changes.
The ICO also provides advice to small businesses, via phone, chat or email including:
-
registering and paying your data protection fee
-
legislation and compliance
-
reporting a breach.
6. Prepare for data breaches
If data is lost, damaged, or shared inappropriately, act quickly. You may need to report it within 72 hours. Have a response plan ready.
This is the step-by-step guide on how to respond to a data breach, specific for small and medium organisations, which include a self-assessment to see if you need to report a data breach: 72 hours - how to respond to a personal data breach | ICO
7. Check if you need to register
Many small businesses must register with the ICO and pay an annual fee. Use the ICO’s self-assessment tool to check.
8. Stay up-to-date
Set reminders to check the Information Commissioners Office (ICO) website for updates and guidance. Data protection is an ongoing responsibility.
If you’re looking for further support, you can contact the ICO here.