Data Protection – As a small business, do I need to register with ICO?
As I know, being in business comes with many challenges, not least of all the legislation you need to know about. Data Protection is one of the most commonly misunderstood by small businesses. So I wanted to share with you, my view and understanding of this crucial piece of legislation.
Overview of the Data Protection Act
Anyone who handles customer information is responsible for looking after that data and is subject to the legislation on data protection.
The Data Protection Act (DPA) protects people’s privacy. Therefore, regardless of size, whether you’re a big corporate, large organisation, start-up or small business, the Data Protection Act applies.
For small business owners, it may be hard to get your head around what you need to do to comply.
What is the Data Protection Act?
The Data Protection Act 1998 as covering “any information that relates to living individuals which is held on computer” and is one of the laws covered by the Information Commissioner’s Office.
The ICO keeps a register of all persons who are “data controllers” of personal data.
To me, that’s quite a broad statement. I have information about living individuals in the form of my Christmas and Birthday card list.
Before you all go rushing to register with the ICO as a data controller just because you’ve got a spreadsheet of your friends and family’s names, addresses and birthdays, let’s look at some the ICO guidance and links which will help you decide whether you need to register.
How do I know if I need to register?
The ICO have published a self-assessment tool which has a set of questions which will determine if you need to register. One of the questions it asks is:
Are you processing any personal information? That means obtaining, recording, storing, updating and sharing it
If you answer “no” to this question. That’s it, all done. You do not need to register and are free to go.
But I can’t think of any business who can honestly say no to that question so perhaps we need to define exactly what “personal information” is before we start.
What is “personal information”?
The ICO say that “if you hold information about individuals either on computer or in certain types of filing system you may be holding personal data” and is split into four areas:
- Information processed by “automatic means” like electronic form, usually on computer.
- Information processed in a “non-automatic” way such as a filing system. So, referring here to paper records.
- Information that is part of an “accessible record” whether it’s on computer or paper. That’s things like health, education, housing.
- Information held by a public authority.
If you’re not sure go to the ICO Data Protection Self-Assessment tool. It only takes 5 minutes to complete and you’ll have peace of mind knowing if you need to register.
If you do need to register you may find there’s some actions you need to take to ensure compliance.
Finally, please never think it won’t happen to me. Here’s a news story from July 2017 where a small UK company having suffered a cyber-attack was fined £60,000 by the Information Commissioner’s Office (ICO).
What other laws as a small business do I need to be aware of?
This has been the topic for July in the CashFlow College and lots of other links, discussions and relevant information has been shared over in the college.
If you would like to be part of the college to gain access to not just this information but also to join in our Webinar covering all the elements we’ve looked at this month and also your chance to ask Rachael questions directly, then check out this link.