Leadership · 21 March 2022

Everything You Need To Know About Data Protection For Your Business

Everything you need to know about data protection for your business

Data protection is one of the global buzzwords at the moment, and rightly so. Most citizens have received a plethora of phone calls suddenly after registering for something or completing their details on a form. Well, the sale or trading of customer information is slowly becoming more and more restricted. That’s a sigh of relief for everyone, but it does mean that you, as a business, need to be extra careful about asking for, storing and sharing customer information – even if no malice is intended.

To help small businesses and entrepreneurs navigate the change, we have collated everything you need to know about data protection for your business.

What is the ICO?

The ICO is the Information Commissioner’s Office and is the UK’s independent authority “set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”. There are hundreds of information pages uploaded onto their website that range from military information to small business information. We have extracted the pertinent references from the ICO database in order to make it easier for business owners to understand the ramification.

When Is A Business Doing Data Collection?

The legislation refers to ‘having data’ as when you are processing ‘personal data, regardless if you are a one-person band, a medium-sized enterprise or a football club.

Ensuring you know the right steps for data protection for your business will bolster your brand’s image and further the deepening of trusting relationships with customers. Trust is at the core of the data protection legislation. The legislation is not an ultimate solution as the use of data has myriad exceptions, but it attempts to establish comprehensive guidelines and a ‘spirit’ of fairness. Your involvement in data protection is to establish trust by treating the details of an individual with fairness and a responsible attitude.

When a business is innocently receiving information from a client for their order, it seldom dawns on them that they are in the process of data collection. By working through the below list of questions, you can see how compliant your business is with data protection legislation.

  • When you receive a person’s details and they are not for your personal use (or your family), e.g. the plumber’s details for your home repairs, then you must treat and store it as per data protection legislation requirements.
  • Data is protected in the United Kingdom via two sets of legislation:
    • DPA 2018
    • UK GDPR
    • As mentioned above, the lawmakers were cognizant that it would be impossible to cover every possible scenario and hence set up guidelines and a ‘spirit’ regarding expected behaviour.
    • The full responsibility then rests with you, the data collector, to:
      • Think before acting with data.
      • Justify your actions as fair and responsible for how you used the data.
      • Justify your actions as fair and responsible for why you used the data.
If you need certified third party advice, process design, data protection audits, complaint management, etc., then the ICO would be the best point of contact.

How does legislation describe data protection?

At its most basic level, data protection is about fairness, good behaviour and privacy rights but in a practical way, not philosophical. The aim of the act is to stop a heavily brewing mistrust from consumers towards institutions that do require private details. The mistrust has rightfully grown from constant abuse of privacy by institutions due to the institutions not fully comprehending that having the details does not give them ownership of the details, and due to very poor protection of the data.

An individual has a right to decide who receives the information, at all times. Having said that, there is also a need to address the need for details when the safety of society is at stake. A person’s details are constantly needed to execute transactions or collaborate on an objective.

Why is the legislation so vague?

With such diversity in businesses and data requirements, there is no template solution. Because of the complexities surrounding an attempt at precise legislation, setting the rules in stone is impossible.

The modus operandi used to solve this dilemma is called ‘risk-based’ and is underpinned by seven key principles. This allows the courts to apply it to myriad situations and establishments, but it does not create a strong impediment for playing with loopholes.

However, the courts do view ‘playing with loopholes’ in a very dim light. Throughout its many pages, the legislation repeats that the crown looks to the business to behave conservatively and act in the spirit of the legislation. This means that if you have any inkling of doubt as to how or why you are using an individual’s data, then you should contact the ICO and take the time to work through the legitimacy of your proposed actions.

While we are offering guidelines or insights, it must be reiterated that you are the final and ultimate step of accountability as you know your business or establishment better than anyone. Regardless of who informed you, you are 100% accountable.

Definition of terms within the act

Before diving into the extracts of the two different acts, let’s look at some key terms and their descriptions:

Personal data

Personal data is the specific details of an individual, including publicly known details and private details. A person’s name is most likely on the internet nowadays; however, this does not make it public domain knowledge. Personal data does not only refer to hidden or anonymous data.


At its simplest level, the term ‘processing’ refers to any action in relation to handling information, such as:

  • Requesting it
  • Receiving it
  • Writing, typing or voice recording it
  • Storing it
  • Using or sharing it
  • Analysing it, e.g. for demographic purposes
  • Adding it to other data, e.g. database


This is the individual responsible for the initiation of collecting or using information, including the why and how. Even if there is an instruction from a department, there will be one person who has signed off on the instruction and therefore carries the accountability. The team members acting on this instruction are not the controllers as they did not originate the instruction. The controller is accountable for compliance.


The aforementioned team members are the processors executing data tasks on behalf of the controller. A small amount of accountability sits with the processor, but the majority sits with the controller.

Data subject

This is the individual giving you their personal information.

What is the DPA 2018?

The Act which sets out the structure within which the law can be executed is the DPA 2018 (superseding DPA 1998) and was updated in 2021 due to Brexit.

It works hand in hand with the UK GDPR and stipulates different guidelines for different institutions, e.g. businesses versus military. It also clarifies the ICOs role and authority.

What Is The UK GDPR?

The General Data Protection Regulation of the United Kingdom is referred to as the UK GDPR. It is a UK law, as of 2021, and contains the seven principles of data protection as well as the accountability of ‘controllers’ and the rights of ‘data subjects’ excluding military, police, etc.

If you operate cross border, you might have to check your compliance against the EU law viz. EU GDPR.

What Is The DPA2018 Process?

As mentioned above, DPA 2018 provides the framework for data protection over a diverse range of scenarios, including various state security divisions, military, public protection, etc. We are only discussing the section called Part 2: General processing (UK GDPR).

Part 2 complements and refines the guidelines put out by UK GDPR and, if you are going to read the entire DPA2018 Act, then it must be read simultaneously with UK GDPR. The main areas of interest for businesses are:

  • Sections 1-28
  • Schedule 1 (sensitive data)
  • Schedules 2-4 (exclusions)
  • Schedule 21 (transition)

What Are The 7 Principles?

As referred to above, the UK GDPR sets out seven key principles to guide business owners through the complex area of data protection for your business. These seven principles are published as follows:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
These are the guiding principles that must inform your actions when “processing” an individual’s personal details for business purposes.

Here is a checklist to help you:

  • Have you ascertained that you have valid grounds for asking for, recording and utilising the details of individuals?
  • Have you checked that you are not unwittingly breaking the law with the data that you are in possession of or are using?
  • Is your behaviour fair and responsible? Is your behaviour or actions harmful to the owner of that personal data? Have you misled someone in order to obtain their details? (The latter is a common transgression online.)
You must be clear, open and honest with people from the start about how you will use their personal data.

Why are the principles mentioned so much?

We have referred to the principles numerous times, we agree. This is because they sit at the core of the data protection law. They were the basis on which the law was built and influenced everything that came after them.

They are principles, not dogma cast in stone, but they imbue the spirit of the law and thus are broad-reaching. This broad reach means there are few exemptions.

The crown looks at the controller’s respect and upholding of this spirit and the controller’s efforts to be fair and responsible. By following these principles, you are more likely to be complying with the law.

If you choose to ignore the principles, then your risk of non-compliance quickly increases. Non-compliance can lead to hefty fines. Clarity regarding fines can be found in Article 83(5)(a), wherein it states that non-compliance to the principles could expose you to “the highest tier of administrative fines”. The highest tier is indeed significant, with a fine of GBP17.5 million, or 4% of turnover if that is a higher resulting figure.

How are the principles stated in the UK GDPR law?

The principles are stated as follows in the UK GDPR law under Article 5(1). These are direct extracts from the law and can be found in the ICO hub of documentation.

Personal data shall be:

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);