Data protection and your business

Last updated: 6 November 2017

You must follow rules on data protection if your business stores or uses personal information.

This applies to information kept on staff, customers and account holders.

Visit GOV.UK for information on:

  • data protection rules
  • recruitment and managing staff records
  • monitoring staff at work
  • using CCTV
  • getting advice on data protection

Notifying the ICO

Under data protection law, you have to provide details to the Information Commissioner's Office (ICO) of how your business handles personal data about staff or customers.

This information, including your organisation's name and the reason for storing the data, will appear on the data protection public register.

Visit GOV.UK for more information and a link to the online application form.

Data protection requests

Under data protection law, anyone can ask if your organisation holds personal information about them - you must respond to their request within 40 days.

Visit GOV.UK for advice on how to respond to data protection requests, and what information is exempt.

Information and data security

You should take steps to keep your business safe online and protect the information and data you hold about your business, staff and customers or account holders.

This information is often the target of online threats, such as phishing and viruses.

There is no single way of protecting your business against these threats. But common advice includes:

  • using strong passwords and user accounts
  • training staff about online threats
  • using firewalls and security software
  • installing software updates
  • password protecting your Wi-Fi network

You can find more advice on protecting your business on the Get Safe Online website.

Certification

Your business can have its information security certified.

This is a way of showing potential partners that your business has a certain level of information and data security.

It could also mean your business can get cyber liability insurance.

You can find more advice on information security certification on the Get Safe Online website.

Cyber Essentials

Cyber Essentials in the UK government's own certification standard for information security.

Your business can get help achieving this standard by applying for a Digital Scotland Voucher.

This is an award of up to £1,500 to check if your business meets Cyber Essentials standard.

You can:

Safe disposal of computers, media and devices

Your business should take care when disposing of:

  • computers
  • tablets or smartphones
  • CDs or DVDs
  • USB sticks and devices
  • memory cards

Criminals can often retrieve data stored on these items – even if you think it has been deleted.

To safely dispose of these items, you can:

  • use a file deletion program or service
  • destroy the physical item, so no-one can use it again

Find more advice on disposing computers, media and devices on the Get Safe Online website.

Safe software decommissioning

Your business should review or audit its software on a regular basis.

This helps determine when software is redundant and needs 'decommissioned' (retired).

Software provides access to information and data. So, it's important your business still protects any software it plans to decommission.

To safely decommission software, you can:

  • use a file deletion program or service
  • destroy the physical item it's stored on, so no-one can use it again

You can find more advice on software decommissioning on the Get Safe Online website.