Top tips for businesses on data protection

Data Protection can be a minefield for small businesses but there are a few easy and cost effective steps that can be taken to ensure they are protected and acting within the limits of the law.

One of the first steps businesses can take to comply with the Data Protection Act 1998 (DPA) is to register as a data controller with the Information Commissioner’s Office (ICO). This can be done directly online and will only cost around £35. – don’t pay anyone offering to register you.

On a practical level, businesses need to have internal procedures in place to keep personal and sensitive information secure. It can be time consuming to identify the risks and develop procedures, but costs nothing. For example, in the workplace it’s important to give employees access to the files and personal data they need to do their job while making sure top level information is password protected. If employees are taking company laptops, files or personal data home, ensure you have a signing out procedure and that data is always secured in a safe environment – consider encryption and laptop safes.

Businesses should only hold the personal data that they need, and dispose of it securely once it has served its purpose. There was a case in the news only last year where a county council was hit with a £100,000 fine by the ICO after documents containing the personal details of over 100 people were found in a disused building. This could have been avoided if waste disposal procedures were in place and monitored.

Businesses should also be making sure personal data is protected by having anti-viral and firewall software installed and regularly updated to prevent any cyber-attacks. In reality, small businesses offer a more attractive target for hackers than larger companies, so don’t be complacent on this point.

Many small businesses may not be aware that data protection laws are due to change on 25 May 2018. The EU’s General Data Protection Regulation (GDPR) applies to all organisations handling the data of EU citizens. All businesses should be preparing now for its introduction and will need to demonstrate compliance as soon as possible. Importantly, the UK will still be an EU member state when GDPR comes into force, but even after Brexit it will continue to apply to businesses selling goods and services into the EU.

The new rules will apply to ‘controllers’ and, for the first time, to ‘processors’ of personal data with definitions similar to those defined in the DPA in that controllers decide how and why personal data is collected and processed, and processors act on the controller’s behalf.

By Harpreet Sandhu, associate and solicitor at Nelsons Solicitors.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.