Data Protection and Your Business

You must follow rules on data protection if your business stores or uses personal information.

This applies to information kept on staff, customers and account holders, for example when you:
Recruit staff
Manage staff records
Market your products or services

This could include:
Keeping customers’ addresses on file
Recording staff working hours
Giving delivery information to a delivery company

The Information Commissioners Office (ICO) has guides to help businesses, including small businesses and sole traders. The ICO is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. - Guide to Data Protection


What data is affected

As with the Data Protection Act 1998, the GDPR applies to ‘personal data’ =
any information relating to an identifiable person who can be directly, or indirectly, identified in particular by reference to an identifier.

  • This definition provides for a wide range of personal identifiers to constitute personal data, including:
    name, address, phone numbers, address,
    identification number,
    location data, photo or CCTV images, or
    online identifiers e.g. ISP, etc.

This reflects changes in technology and the way organisations collect information about people.

Sensitive Personal Data

Under GDPR this becomes known as Special Categories of Personal Data.  GDPR states this personal data is more sensitive and therefore requires more protection, and includes:

  • Medical records and absence records
  • Biometric data
  • Genetic Data

Although data relating to Criminal convictions and offences is not included, it has to be treated in a similar way to Sensitive Personal Data.


Data Controller

A person who (either alone, jointly, or in common with other persons) determines the purposes for which, and the manner, in which any personal data are, or are to be processed.

Under GDPR this brings additional responsibilities on the Data Controller for conducting ongoing due diligence on any Data Processor to process and safeguard any personal data shared with the Processor.  A Data Controller remains responsible for any personal data shared with a Data Processor – in the event a Processor suffers a data breach on the data shared with them they must immediately report to the Data Controller so they may consider if reportable to the ICO as a Material Personal Data Breach.  Existing Controller to Processor contracts need to be revised.

Data Processor

A person (other than an employee of the data controller) who is entrusted with personal data to process on behalf of the data controller.

Under GDPR a Data Processor must comply with any instructions given by the Data Controller as to what they can do with the data and how long it should be kept.  Data Processors must also co-operate with the Data Controller in respect of any data breach.


Obtaining information or data, recording or holding information or data, or carrying out any operation or set of operations on the information or data, including:

    • organisation, adaptation or alteration of the information or data,
    • retrieval, consultation or use of the information or data,
    • disclosure of the information or data by transmission, dissemination or otherwise making available, or
    • alignment, combination, blocking, erasure or destruction of the information or data.

Lawful Process for Processing

Under GDPR (Article 6) you must have a valid lawful basis or justification to process personal data.  There are only six available lawful bases for processing:

1. Explicit Consent:
2. Contract
3. Legal obligation
4. Vital interests
5. Public task
6. Legitimate interests

No basis is ’better’ or more important than any others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.  You must record your decision.

  • Note:
    You must select the most appropriate basis for processing.  It is not expected that you will be continually changing options. 
    If you are relying upon Consent and such consent is withdrawn, but you will still process the data, then Consent is not an appropriate legal basis for processing the data.  You should consider an alternative basis.
    GDPR imposes additional requirements where personal data is processed for children

Processing Special Categories

 When processing special category data, you need to identify both a lawful basis for processing (Article 6) and a Special Category condition for processing (Article 9).  These are:

1.Explicit Consent,

2.Legal obligation related to employment,

3.Vital interests of the individual,

4.Not for profit bodies,

5.Public information,

6.Legal claims,

7.Substantial public interest,


9.Public health,


Rights of the Individual

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling

When you rely upon Consent as your basis for processing, you open up all of the above rights to the individual over the data you hold.  Selecting a different legal basis for processing may remove some of the above rights.


Explicit Consent of the Individual

GDPR sets a higher standard for consent.  It is likely that any existing consents will not be GDPR compliant and cannot be relied upon after 25th May 2018.  In particular, Consent requires:

  • An informed decision;
  • Clear and specific statement of consent – no more pre-ticked boxes or consent by default, or a condition of a contract;
  • Separate from other terms and conditions;
  • Specific so that you get separate consent for separate things. Vague or blanket consent is not enough;
  • To be clear and concise;
  • Must be as easy to withdraw consent, as it is to give consent;
  • Verifiable, so must be capable of being produced on request demonstrating – who gave it, when it was given, how it was given, and what was told to the customer when they consented;
  • Kept under review and refreshed if anything changes.


Initial Steps to Consider

  1. Consider preparing your Data Mapping recording the personal data which flows through your organisation, where it comes from, what the data is, how it is stored, who it is shared with, your legal basis for processing and how long it is retained.
  2. How do you handle staff special categories of data and what is your legal basis for processing?
  3. Revisit your existing Consents and consider if they meet GDPR requirements, particularly in respect of Marketing Databases.  NB: be careful in any mass mailing existing databases.  How reliable is your database?  Have previous consent withdrawals been removed from current databases?  Did you have consent originally to add the names to the database, or where they simply added on a whim?  If recipients complain to the ICO, you could face a substantial fine under the existing Privacy and Electronic Communications Regulations (PECR). 
  4. Revisit contracts with existing suppliers with whom you share personal data.  Are they GDPR compliant providing for ongoing Due Diligence e.g. obtaining a copy of their GDPR Policy, site visits, data breach performance, accreditations held (e.g. ISO 27001, and / or Cyber Essentials Plus),etc.
  5. Revisit existing Privacy Notices – are they GDPR compliant?  Download the ICO checklist to review.  GDPR requires they are issued on receipt of the personal information direct from the individual before, or as processing starts.  If personal data is received from a 3rd party, a privacy notice must be issued when you process the data, or within 30 days of receipt of the personal data.  Normally, your contract or application forms will cover these aspects.
  6. Consider your data retention and archiving policy – does it meet GDPR requirements?
  7. Do you have any digital “Contact Us” or Quotation Modules or e-commerce platforms operating through your website?  If so what personal data is recorded, where is it stored and when is it deleted?
  8. Do you or any Data Processors transfer personal data outside the European Economic Area (EEA)?   Simply viewing personal data outside the EEA is also classed as a data transfer.  GDPR imposes additional provisions on these transfers
  9. Train your Staff in the requirements of GDPR and your revised Policies and Procedures.  Generate an awareness of GDPR and the need for appropriate and robust data security measures.
  10. What processes do you have for identifying, recording and reporting Personal Data Breaches, so you can decide if reportable to the ICO and if necessary to the individuals affected?