Everything You Need To Know About Data Protection For Your Business

Luisa Ddakis | 21 March 2022 | 2 years ago

Everything you need to know about data protection for your business

Data protection is one of the global buzzwords at the moment, and rightly so. Most citizens have received a plethora of phone calls suddenly after registering for something or completing their details on a form. Well, the sale or trading of customer information is slowly becoming more and more restricted. That’s a sigh of relief for everyone, but it does mean that you, as a business, need to be extra careful about asking for, storing and sharing customer information – even if no malice is intended.

To help small businesses and entrepreneurs navigate the change, we have collated everything you need to know about data protection for your business.

What is the ICO?

The ICO is the Information Commissioner’s Office and is the UK’s independent authority “set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”. There are hundreds of information pages uploaded onto their website that range from military information to small business information. We have extracted the pertinent references from the ICO database in order to make it easier for business owners to understand the ramification.

When Is A Business Doing Data Collection?

The legislation refers to ‘having data’ as when you are processing ‘personal data, regardless if you are a one-person band, a medium-sized enterprise or a football club.

Ensuring you know the right steps for data protection for your business will bolster your brand’s image and further the deepening of trusting relationships with customers. Trust is at the core of the data protection legislation. The legislation is not an ultimate solution as the use of data has myriad exceptions, but it attempts to establish comprehensive guidelines and a ‘spirit’ of fairness. Your involvement in data protection is to establish trust by treating the details of an individual with fairness and a responsible attitude.

When a business is innocently receiving information from a client for their order, it seldom dawns on them that they are in the process of data collection. By working through the below list of questions, you can see how compliant your business is with data protection legislation.

  • When you receive a person’s details and they are not for your personal use (or your family), e.g. the plumber’s details for your home repairs, then you must treat and store it as per data protection legislation requirements.
  • Data is protected in the United Kingdom via two sets of legislation:
    • DPA 2018
    • UK GDPR
    • As mentioned above, the lawmakers were cognizant that it would be impossible to cover every possible scenario and hence set up guidelines and a ‘spirit’ regarding expected behaviour.
    • The full responsibility then rests with you, the data collector, to:
      • Think before acting with data.
      • Justify your actions as fair and responsible for how you used the data.
      • Justify your actions as fair and responsible for why you used the data.
If you need certified third party advice, process design, data protection audits, complaint management, etc., then the ICO would be the best point of contact.

How does legislation describe data protection?

At its most basic level, data protection is about fairness, good behaviour and privacy rights but in a practical way, not philosophical. The aim of the act is to stop a heavily brewing mistrust from consumers towards institutions that do require private details. The mistrust has rightfully grown from constant abuse of privacy by institutions due to the institutions not fully comprehending that having the details does not give them ownership of the details, and due to very poor protection of the data.

An individual has a right to decide who receives the information, at all times. Having said that, there is also a need to address the need for details when the safety of society is at stake. A person’s details are constantly needed to execute transactions or collaborate on an objective.

Why is the legislation so vague?

With such diversity in businesses and data requirements, there is no template solution. Because of the complexities surrounding an attempt at precise legislation, setting the rules in stone is impossible.

The modus operandi used to solve this dilemma is called ‘risk-based’ and is underpinned by seven key principles. This allows the courts to apply it to myriad situations and establishments, but it does not create a strong impediment for playing with loopholes.

However, the courts do view ‘playing with loopholes’ in a very dim light. Throughout its many pages, the legislation repeats that the crown looks to the business to behave conservatively and act in the spirit of the legislation. This means that if you have any inkling of doubt as to how or why you are using an individual’s data, then you should contact the ICO and take the time to work through the legitimacy of your proposed actions.

While we are offering guidelines or insights, it must be reiterated that you are the final and ultimate step of accountability as you know your business or establishment better than anyone. Regardless of who informed you, you are 100% accountable.

Definition of terms within the act

Before diving into the extracts of the two different acts, let’s look at some key terms and their descriptions:

Personal data

Personal data is the specific details of an individual, including publicly known details and private details. A person’s name is most likely on the internet nowadays; however, this does not make it public domain knowledge. Personal data does not only refer to hidden or anonymous data.


At its simplest level, the term ‘processing’ refers to any action in relation to handling information, such as:

  • Requesting it
  • Receiving it
  • Writing, typing or voice recording it
  • Storing it
  • Using or sharing it
  • Analysing it, e.g. for demographic purposes
  • Adding it to other data, e.g. database


This is the individual responsible for the initiation of collecting or using information, including the why and how. Even if there is an instruction from a department, there will be one person who has signed off on the instruction and therefore carries the accountability. The team members acting on this instruction are not the controllers as they did not originate the instruction. The controller is accountable for compliance.


The aforementioned team members are the processors executing data tasks on behalf of the controller. A small amount of accountability sits with the processor, but the majority sits with the controller.

Data subject

This is the individual giving you their personal information.

What is the DPA 2018?

The Act which sets out the structure within which the law can be executed is the DPA 2018 (superseding DPA 1998) and was updated in 2021 due to Brexit.

It works hand in hand with the UK GDPR and stipulates different guidelines for different institutions, e.g. businesses versus military. It also clarifies the ICOs role and authority.

What Is The UK GDPR?

The General Data Protection Regulation of the United Kingdom is referred to as the UK GDPR. It is a UK law, as of 2021, and contains the seven principles of data protection as well as the accountability of ‘controllers’ and the rights of ‘data subjects’ excluding military, police, etc.

If you operate cross border, you might have to check your compliance against the EU law viz. EU GDPR.

What Is The DPA2018 Process?

As mentioned above, DPA 2018 provides the framework for data protection over a diverse range of scenarios, including various state security divisions, military, public protection, etc. We are only discussing the section called Part 2: General processing (UK GDPR).

Part 2 complements and refines the guidelines put out by UK GDPR and, if you are going to read the entire DPA2018 Act, then it must be read simultaneously with UK GDPR. The main areas of interest for businesses are:

  • Sections 1-28
  • Schedule 1 (sensitive data)
  • Schedules 2-4 (exclusions)
  • Schedule 21 (transition)

What Are The 7 Principles?

As referred to above, the UK GDPR sets out seven key principles to guide business owners through the complex area of data protection for your business. These seven principles are published as follows:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
These are the guiding principles that must inform your actions when “processing” an individual’s personal details for business purposes.

Here is a checklist to help you:

  • Have you ascertained that you have valid grounds for asking for, recording and utilising the details of individuals?
  • Have you checked that you are not unwittingly breaking the law with the data that you are in possession of or are using?
  • Is your behaviour fair and responsible? Is your behaviour or actions harmful to the owner of that personal data? Have you misled someone in order to obtain their details? (The latter is a common transgression online.)
You must be clear, open and honest with people from the start about how you will use their personal data.

Why are the principles mentioned so much?

We have referred to the principles numerous times, we agree. This is because they sit at the core of the data protection law. They were the basis on which the law was built and influenced everything that came after them.

They are principles, not dogma cast in stone, but they imbue the spirit of the law and thus are broad-reaching. This broad reach means there are few exemptions.

The crown looks at the controller’s respect and upholding of this spirit and the controller’s efforts to be fair and responsible. By following these principles, you are more likely to be complying with the law.

If you choose to ignore the principles, then your risk of non-compliance quickly increases. Non-compliance can lead to hefty fines. Clarity regarding fines can be found in Article 83(5)(a), wherein it states that non-compliance to the principles could expose you to “the highest tier of administrative fines”. The highest tier is indeed significant, with a fine of GBP17.5 million, or 4% of turnover if that is a higher resulting figure.

How are the principles stated in the UK GDPR law?

The principles are stated as follows in the UK GDPR law under Article 5(1). These are direct extracts from the law and can be found in the ICO hub of documentation.

Personal data shall be:

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Article 5(2) adds that:

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

Children and data protection

The law and act guides controllers to pay particular attention to safeguarding children when using their private details due to their obvious lack of wisdom and life experience.

If you are considering capturing the private details of a child, then it is cautioned for you to reconsider whether it is really necessary. If yes, then more protective care and security should be used for that data, more so than applied to the details of adults.

Application of the seven principles and the values of the act and law should never be under debate or questionable regarding processing a child’s details.

[Sub-Header] What about the EU GDPR data protection law and the UK?

This is a good point to raise as the EU GDPR still applies to businesses in the United Kingdom. Unfortunately, you cannot put this one through the shredder yet! You must still assess and review your practices and ensure that you are compliant with the EU GDPR.

However, there is a silver lining. You don’t have to have two compliance audits because the principles of the law, the rights of the individuals and the responsibility or liability of the processor are very alike between both laws.

The leading measures within the EU GDPR that need to be adhered to include but are not limited to:

  • The appointment of a European Union representative,
  • Ensuring any current legal agreements that involve EU-UK data movement must contain approved regulation contractual clauses,
  • Identifying an EU “lead supervisory authority”,
  • Updating your documentation, procedures and rules regularly to keep them aligned to EU GDPR changes.
But, yes, there are differences.

The leading measures within the EU GDPR that are different to the UK GDPR include but are not limited to:

  • A child’s legal age – In the UK GDPR legislation, the legal age limit of a minor from whom you are requesting data is thirteen years old. Within the EU GDPR, the legal age limit of a minor from whom you are requesting data is a minimum of sixteen years old.
  • Automatic profiling – In the UK GDPR legislation, you may execute automatic decision making when building a profile or categories when there is a valid justification to do so. Within the EU GDPR, the law is different in that the European Union’s greater data legislation, covering the privacy rights of individuals, empowers individuals to choose whether they wish to reject their data being included in an automatic profile data process.
  • Public interest – The right to access an individual’s private details in the interest of, for example, public safety is easier to do under the UK GDPR than when doing so under EU GDPR legislation.

What had the Brexit impact been on data protection?

As of 2021, the UK was in a pending status with a “third country” designation regarding data protection between the EU and the UK.

The term ‘third country’ refers to any country outside of the EU economic zone. An EU resident’s private details can be moved across the border to a ‘third country’ if the movement qualifies under the following three EU GDPR criteria:

  • The ‘third country’ has been deemed by the EU to have adequate and acceptable standards of data protection.
  • If the EU has not deemed the country to have adequate and acceptable standards of data protection, the recipient must manage the transfer of data via Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs).
  • All transfers must be executed under strict, authorised codes of conduct.


If you have the data of individuals on file, it is not yours to use as you see fit, even if you think it is for the benefit of the data owner. Only they, by law, have the right to make that decision, so tread carefully and put away your maverick boots.



Related Topics

Performance Appraisals Reimagined, How to Modernise Your HR Reviews
4 September 2023

Performance Appraisals Reimagined, How to Modernise Your HR Reviews

Read More →
How to Effectively Manage Remote Teams in Today’s World
30 August 2023

How to Effectively Manage Remote Teams in Today’s World

Read More →
How to Create a Positive Work Culture
9 August 2023

How to Create a Positive Work Culture

Read More →
What is the Peter Principle and How Can You Avoid It?
7 August 2023

What is the Peter Principle and How Can You Avoid It?

Read More →
How to Master the Art of Negotiation
28 July 2023

How to Master the Art of Negotiation

Read More →
Strategies to Boost Productivity
20 July 2023

Strategies to Boost Productivity

Read More →

If you enjoy reading our articles,
why not sign up for our newsletter?

We commit to just delivering high-quality material that is specially crafted for our audience.

Join Our Newsletter