Data Protection

Good data protection – not as difficult as you may think!

You know its important to look after other people’s data and that applies to your company and its customers data/information as well!

How important? The negligent loss of personal data can lead to quite high fines in the worst cases and they could collapse your business. Therefore, you need to be able to say that you had a process and did your best to look after your customer’s data.

In practical terms, its relatively straight forward to meet the data protection requirements for a small business because any reasonably efficient sales process will need a filing and accounting process.


Whatever your business, you need to keep your customers data protected. They must agree to giving you their data and for the purposes you need it for in the conduct of your business and any transaction with the customer.


At the very least, if you collect any customer information like a name and contact details then you need:

  • a privacy policy statement which the customer can read before giving you the information.
  • a cookie notice if you’re online (even for simple analytics except a site counter).
  • a filing system, digital or paper, in which you can find and delete personal/customer data.
  • an understanding of the data you are required to hold by law once you have collected it.
  • a way a customer or his representative can contact you regarding data issues/concerns.

For a policy examples, take a look at this sites Services Family Ltd Privacy Policy.


General Data Protection Regulations (GDPR).

What is GDPR?

GDPR is an overhaul of the old Data Protection Act. It places new regulations on businesses to ensure that customers know how you use their data, what data you have and provides customers with new rights and controls over their personal data – CUSTOMERS OWN, THEIR OWN DATA.

GDPR will apply in the UK from 25 May 2018 and the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of GDPR.

There is a range of new sweeping rights for customers:

  1. The right to be informed – customers have to be told why a company wants their data.
  2. The right of access – a customer can ask what data a company holds on them.
  3. The right to rectification – a customer can correct any data a business has which is wrong
  4. The right to erasure – a customer can have all your data, aside that the company has to retain for legal reasons, removed from the company’s files.

There are further rights covering your customer’s control over data usage, the right to transfer it to another company, the right to challenge the use of data by a company and to control how their data is used in decision making or personal profiling.

Under GDPR, customers also have new rights regarding the loss of their data. A personal data breach is more than just loosing personal data. For example; a hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal procedures and security controls. A serious breach could impact your customer’s digital profile and if they were disadvantaged, they could request rectification and/or to be compensated.

Fortunately, the government is very helpful to small businesses on data protection guidance and your responsibilities. The following sections come from their website.

Business owners can get more detail on how GDPR can affect you and your business at Information Commissioners Office.


Here are some guidelines for your new business.

Data protection – looking after the information you hold

If you hold and process personal information about your clients, employees or suppliers, you are legally obliged to protect that information. Under the Data Protection Act, you must:

  • only collect information that you need for a specific purpose;
  • keep it secure;
  • ensure it is relevant and up to date;
  • only hold as much as you need, and only for as long as you need it; and
  • allow the subject of the information to see it on request.

Broadly speaking, personal information links data to an individual which can be identified as such. There are two categories; Personal Data and Sensitive Personal Data.


Personal data means data which relate to a living individual who can be identified –

  1. from those data, or
  2. from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.


Sensitive personal data means personal data consisting of information as to –

  1. the racial or ethnic origin of the data subject,
  2. his/her political opinions,
  3. his/her religious beliefs or other beliefs of a similar nature,
  4. whether he/she is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
  5. his/her physical or mental health or condition,
  6. his/her sexual life,
  7. the commission or alleged commission by him/her of any offence, or
  8. any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings.

The Information Commissioner’s Office (ICO) has produced practical advice on how to comply with data protection law and how to improve data protection practices in your business, including how to keep employees’ and customers’ personal information secure and how to get ready for the data protection reforms.

Information for businesses


Self Assessment Tools

There is a wealth of useful information on the ICO site and good self assessment tools.

Use the Information Commissioner’s Office (ICO) checklists to assess your compliance with the Data Protection Act and find out what you need to do. Good information handling makes good business sense, and provides a range of benefits. You’ll enhance your business’s reputation, increase customer and employee confidence, and by ensuring that personal information is accurate, relevant and safe, save both time and money.

Data protection self-assessment toolkit


How much does it cost?

The cost of your data protection registration for most businesses is £35. The payment is always VAT:nil

Remember: You really should have a policy statement on your data protection, regardless of if you are registered with the ICO, and there are templates that can form the basis for your business.

Nature of your business work


Do you think some additional information on protecting your data (Cyber security) and staying safe online would help?

Services Family Ltd has teamed up with experts, ex-military veterans of cyber, to provide you with some online learning. Try reading 7 Top Tips in Online Security.