The pandemic brought everything online, but with that came additional data privacy challenges. App-based ordering in pubs, teaching on Zoom, and contact tracing has meant organisations and third-parties are collecting more of our personal data. But the UK\u2019s privacy body, the Information Commissioner\u2019s Office (ICO), has reminded people that they have a choice whether to hand over their personal data<\/a>.<\/p>\n\n\n\n Learn more about how to navigate these data protection challenges as a small business in our simple guide:<\/p>\n\n\n\n The Data Protection Act 2018<\/a> is a piece of UK legislation that\u2019s designed to protect the privacy of personal data. It replaces the Data Protection Act 1998 and now incorporates GDPR legislation into UK law.<\/p>\n\n\n\n In essence, the law aims to:<\/p>\n\n\n\n 1. Give citizens and residents more control of their personal data<\/strong> \u2013 everyone has a right to find out what information the government and organisations hold about them.<\/p>\n\n\n\n 2. Simplify regulations for all businesses to help them protect personal data<\/strong> \u2013 making sure that information is used lawfully, fairly, and transparently.<\/p>\n\n\n\n Although you may think that this only applies to larger companies, in fact most businesses hold some personal data \u2013 for example customer contact details, or HR information about staff.<\/p>\n\n\n\n If you do use or store personal information, and this information relates to someone that can be identified, you’re referred to in the Act as a \u2018data controller\u2019.<\/p>\n\n\n\n The European General Data Protection Regulation (GDPR) came into force in the UK in May 2018. However, since the UK left the European Union and the transition period ended on 31 December 2020, the GDPR has now been incorporated into the Data Protection Act 2018.<\/p>\n\n\n\n You may need to comply with both the UK GDPR and the EU GDPR if your business operates in Europe, or you offer goods or services to people in Europe.<\/p>\n<\/div>\n\n\n\n <\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n The Data Protection Act 2018 and UK GDPR applies to any business established in the UK.<\/p>\n\n\n\n The main question to ask yourself is, how often does your business deal with personal data<\/strong>? This includes your customer data of course, but have you factored in supplier data? Past and present employees?<\/p>\n\n\n\n If you\u2019re collecting any of this data routinely, you need to comply with the UK GDPR, whether the data is stored on a spreadsheet, your computer, mobile phone, or in the cloud. It applies for both manual data collection and automated digital capture. <\/p>\n\n\n\n Even as a small business you must follow the law and take responsibility for handling personal data. Beyond that, it can help you demonstrate to potential and existing customers that you\u2019re doing everything you can to protect their data from being lost, stolen, damaged, misused, or shared \u2013 this level of trust is invaluable and could even help you bring in more business.<\/p>\n<\/div>\n\n\n\n The Data Protection Act 2018 offers stronger legal protection for more sensitive information, such as:<\/p>\n\n\n\n Generally, you\u2019ll need explicit consent from individuals if you want to collect or process sensitive information.<\/p>\n<\/div>\n<\/div>\n\n\n\n As an employer, you’ll have a number of unique responsibilities. Firstly, workers have a legal right to access information that their employer may hold on them.<\/p>\n\n\n\n Meanwhile, employers should also make sure that staff comply with data protection regulations in their day-to-day work, and have a duty to monitor the likes of telephone calls, emails, and CCTV where necessary.<\/p>\n\n\n\n Data controllers have a series of important responsibilities, and must follow the seven data protection principles.<\/p>\n<\/div>\n<\/div>\n\n\n\n If your organisation deals with personal data, you must consistently act in accordance with the seven key principles set out in the DPA.<\/p>\n\n\n\n This is among the most important requirements of the DPA. To comply, you must provide people with the name of your business, and details of how their information will be used. You should make it clear that the individual can access and correct the information that you hold about them.<\/p>\n\n\n\n Crucially, you must also tell them if the information will be used in any way that\u2019s not immediately obvious. For example, you must tell the individual if their details will be passed on to credit reference agencies.<\/p>\n\n\n\n You must be clear why you\u2019re collecting someone\u2019s personal data and how you intend to use it. This clearly links to the lawfulness, fairness, and transparency principle mentioned above.<\/p>\n\n\n\n You can\u2019t use the data collected for another, \u2018incompatible\u2019, or unlawful purpose. For example, if your purpose changes over time and this isn\u2019t \u2018compatible\u2019 with the original purpose, you\u2019ll need to get the individual\u2019s specific consent for the new purpose.<\/p>\n\n\n\n You should only collect the bare minimum; you may not collect information that isn\u2019t immediately relevant to the specified purpose, and you may not collect more information than you need.<\/p>\n\n\n\n Any information you hold must be factually accurate, and updated where necessary. Depending on the nature of your business, you may need to develop mechanisms that allow people to update their details quickly.<\/p>\n\n\n\n This storage limitation principle states that you shouldn\u2019t keep data any longer than needed. If you collected data for a purpose that\u2019s time-limited then you should make sure that the information isn\u2019t retained beyond that point. Reducing how long you hold data also helps you to reduce the risk of storing personal data that\u2019s inaccurate or out of date. <\/p>\n\n\n\n It\u2019s good practice to tell people how long you intend to keep the data for and you might find it useful to set retention periods for your data.<\/p>\n\n\n\n You must take adequate steps to maintain the integrity and confidentiality of personal data. Having an information security policy in place can help demonstrate that you\u2019re looking after personal data and reducing the risk of it being compromised.<\/p>\n\n\n\n This final principle sets out the law when it comes to accountability. As a data controller, you\u2019re responsible for what you do with personal data and must demonstrate how you\u2019re looking after people\u2019s privacy.<\/p>\n\n\n\n More information on the GDPR principles<\/a> can be found on the ICO website.<\/p>\n<\/div>\n<\/div>\n\n\n\n Here are some key things to think about when it comes to collecting individual\u2019s data:<\/p>\n\n\n\n Ultimately, consent should put individuals in control, build trust and engagement, and enhance your reputation.<\/p>\n<\/div>\n<\/div>\n\n\n\n As well as following the key principles above, you may also need to pay a data protection fee to the Information Commissioner’s Office (ICO). The DPA works on the basis that all data controllers notify the ICO, but there are some exemptions. If you\u2019re not exempt but you fail to notify the ICO, you risk prosecution.<\/p>\n\n\n\n You may be exempt if you only<\/strong> process personal data for one (or more) of the following purposes:<\/p>\n\n\n\n You can use the ICO’s online checker tool<\/a> to see if your business is exempt from registration. Even if you\u2019re exempt from paying a fee, you still need to comply with other data protection obligations.<\/p>\n\n\n\n If you do need to register, you\u2019ll need to pay a data protection fee<\/a>. Registration generally costs between \u00a340 and \u00a360 a year.<\/p>\n\n\n\n If you don\u2019t comply with the Data Protection Act, you could face serious penalties. The maximum fine under UK GDPR and the DPA is now \u00a317.5 million or four per cent of the total annual worldwide turnover in the preceding financial year, whichever is higher.<\/p>\n<\/div>\n<\/div>\n\n\n\n 1. Know your data<\/strong><\/p>\n\n\n\n Demonstrate an understanding of the types of personal data you\u2019re holding (such as name, address, email, bank details, photos, IP addresses) and sensitive data (for example health details or religious views), as well as where the data is coming from, where it\u2019s going and how it\u2019ll be used.<\/p>\n\n\n\n 2. Identify when you\u2019re relying on consent<\/strong><\/p>\n\n\n\n If you\u2019re relying on personal consent to process personal data (for example, as part of your marketing) then you need to be clear, specific, and explicit as to your purpose.<\/p>\n\n\n\n 3. Review your security measures<\/strong><\/p>\n\n\n\n Make sure you have strong security measures and policies. Broad use of encryption, for example, could be a good way to reduce the risk of a security breach. <\/p>\n\n\n\n 4. Meet access requests<\/strong><\/p>\n\n\n\n Everyone has a right to access any personal data you may hold. The right of access under GDPR states that you must respond to a request within one month. This can only be extended in mitigating circumstances.<\/p>\n\n\n\n 5. Train your employees<\/strong><\/p>\n\n\n\n Staff should report a serious personal data breach within 72 hours. Make sure that everyone knows the process for reporting and who to report a breach to.<\/p>\n\n\n\n 6. Conduct due diligence on your supply chain<\/strong><\/p>\n\n\n\n Make sure your suppliers and contractors are compliant with UK GDPR to avoid being impacted by any breaches.<\/p>\n\n\n\n 7. Regularly review your privacy policies<\/strong><\/p>\n\n\n\n People have a right to be informed of how you\u2019re using their personal data. This should be included in your privacy policies and information should be reviewed regularly to make sure it\u2019s up to date.<\/p>\n\n\n\n 8. Check if you need to employ a Data Protection Officer<\/strong><\/p>\n\n\n\n Most small businesses will be exempt. However, if your company\u2019s core activities involve \u2018regular or systematic\u2019 monitoring of data subjects on a large scale, or which involve processing large volumes of sensitive data, you must employ a Data protection Officer.<\/p>\n\n\n\n For more information, check out these resources from the ICO:<\/p>\n\n\n\n If you\u2019re not sure about anything, seek guidance from the Information Commissioner\u2019s Office (ICO), or from an independent legal professional.<\/p>\n\n\n\n If you have legal expenses insurance<\/a> as part of your Simply Business policy, you have access to a number of useful services through Arag Businesslaw<\/a> (you\u2019ll just need your voucher code found in your policy documents to register).<\/p>\n\n\n\n Arag has a legal advice helpline, available whether you\u2019re facing a serious legal issue or just want to check something with an adviser. They also offer a range of legal templates and guides, including a GDPR checklist and handbook, video guides to handling information requests and templates for GDPR privacy notices.<\/p>\n\n\n\n Is there anything else you\u2019d like to know about data protection? Let us know in the comments.<\/strong><\/p>\n\n\n\n With Simply Business you can build a single self employed insurance<\/a> policy combining the covers that are relevant to you. Whether it’s public liability insurance<\/a>, professional indemnity<\/a> or whatever else you need, we’ll run you a quick quote online, and let you decide if we’re a good fit.<\/p>\n\n\n\n\n
What is the Data Protection Act 2018?<\/h2>\n\n\n\n
What does GDPR stand for \u2013 and does GDPR still apply?<\/h3>\n\n\n\n
What does the Data Protection Act mean for my business?<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.simplybusiness.co.uk\/wp-content\/uploads\/sites\/3\/2024\/08\/AdobeStock_562456221_a4dd65-scaled.jpeg?w=1024\")
Is your data \u2018sensitive\u2019?<\/h3>\n\n\n\n
\n
The Data Protection Act \u2013 employers’ responsibilities<\/h2>\n\n\n\n
The Data Protection Act \u2013 7 key principles<\/h2>\n\n\n\n
1. Personal data must be processed lawfully, fairly, and in a transparent manner<\/h3>\n\n\n\n
2. Personal data must be processed for specified, explicit, and legitimate purposes<\/h3>\n\n\n\n
3. Personal data must be adequate, relevant, and not excessive<\/h3>\n\n\n\n
4. Personal data must be accurate and up to date<\/h3>\n\n\n\n
5. Personal data shouldn\u2019t be kept any longer than is necessary<\/h3>\n\n\n\n
6. Personal data must be processed securely<\/h3>\n\n\n\n
7. The controller is responsible for GDPR and must demonstrate compliance<\/h3>\n\n\n\n
How do I get consent from my customers to use their data?<\/h2>\n\n\n\n
\n
Do I need to register with the ICO?<\/h2>\n\n\n\n
\n
Registration and the data protection fee<\/h3>\n\n\n\n
GDPR checklist \u2013 tips for small businesses<\/h2>\n\n\n\n
\n
What to do if you’re taken to court over a GDPR breach<\/h2>\n\n\n\n
Useful guides for small businesses<\/h3>\n\n\n\n
\n
Looking for self-employed insurance?<\/h3>\n\n\n\n