Resource Centre


Data protection: key issues for businesses

Whatever the size of your business it is likely that you will hold a significant amount of personal data, and all businesses have a responsibility to manage and protect data effectively. Businesses should maintain high standards regarding the handling of personal information and ensure they protect the individual’s right to privacy.

Making data protection a priority makes good business sense, and can enhance your business’s reputation. By ensuring that personal information is relevant, accurate and safe, you can increase confidence among employees and customers. The new General Data Protection Regulations (GDPR) will come into effect on 25 May 2018, so you also need to ensure you are aware of the forthcoming changes to data protection legislation.

Data protection principles

The Information Commissioner’s Office (ICO) outlines eight data protection principles of good information handling.

These state that personal information must be:

  • fairly and lawfully processed;
  • processed for specified purposes;
  • adequate, relevant and not excessive;
  • accurate and, where necessary, kept up to date;
  • not kept for longer than is necessary;
  • processed in line with the rights of the individual;
  • kept secure; and
  • not transferred to countries outside the European Economic Area unless the information is adequately protected.

The ICO has the power to impose fines on businesses that do not protect data. Currently these fines cannot exceed £500,000, but will rise significantly following the introduction of GDPR legislation.

What does personal data include?

The ICO provides detailed guidance on what constitutes personal data but broadly speaking it includes any information held on computers (or in the cloud) which relates to a living person. This might include information such as name, date of birth, address, bank details and any information from which a person could be identified.

Effective data security procedures need to be part of the culture of your business, and all employees should use strong passwords on all files, folders and portable devices. A simple virus or piece of malware has the potential to result in the loss of personal data, so improving your cyber security can have real benefits for every business. The Government’s Cyber Essentials scheme has been open to businesses since 2015, and will help protect your organisation against most cyber attacks. 

The ICO provides guidance for businesses on how to collect, process and store personal information and useful resources on the ICO website include a self-assessment checklist.

Their top tips for businesses include:

  • ensuring people are aware of how you are using their data;
  • ensuring people are aware who their data will be shared with;
  • using strong passwords;
  • encrypting portable devices including laptops and memory sticks;
  • making sure your business has established data retention policies in place; and
  • ensuring that your organisation has a process for deleting personal information securely.


Effective data processing

If you handle personal data, you may need to register as a data controller with the ICO. Registration is a legal requirement and every organisation that processes personal information must register unless they are exempt. If you are unsure if your business needs to register, there is a five minute assessment process that will help you decide.

The GDPR legislation will introduce new, much stricter rules on data protection and place a greater obligation upon businesses to obtain and record consent for processing data. The new EU laws will supersede the current Data Protection Act.

How will GDPR affect businesses?

We will cover how GDPR will affect businesses in more detail in a forthcoming article, but key points to be aware of include:

  • we will be adopting the EU legislation despite Brexit;
  • all staff need to be made aware of the regulations;
  • you must appoint someone to take responsibility for data protection and assess whether you formally designate a Data Protection Officer
  • you cannot assume consent, and failure to opt-out will not be viewed as consent; and
  • you will need to keep a record of how and when consent was given.

The ICO has published an overview of the new regulations and their useful twelve-step guide will help businesses prepare for this important piece of legislation.

Talk to us

Lucas Fettes work with many local businesses helping them to address the particular challenges and risks they face in their day-to-day operations. To find out how we could help you with your challenges, or to arrange a free, no obligation consultation, please get in touch. Call us on 0330 660 0148 or email

Cyber essentials logo

Lucas Fettes & Partners are Cyber Essentials accredited. Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks.


Request a call

Thank you for your request, we will be in touch shortly