Authors
Data protection laws apply to all types of businesses regardless of size, and early-stage businesses are not exempt. If you process the personal data of UK citizens, even if you are a non-UK business, you are likely to be subject to UK data protection laws. You may also have obligations under contracts with your customers or other companies to comply with these laws.
Setting up and scaling a business takes an enormous amount of effort. It is easy to be distracted by other priorities, but the risks relating to non-compliance are high, including substantial fines and risks of claims, potential criminal liability of directors and senior managers, damage to your reputation with customers, vendors, and potential investors and business continuity issues. Adopting the correct measures and establishing a framework for compliance is much easier to do in the early days when you are building your business processes and designing your products and services. It will help you to reduce these risks and to build trust and a positive reputation with your customers, vendors and potential investors.
In this article, we have summarised some of the key considerations under UK and EU data protection law.
1. What are the applicable data protection laws?
The Data Protection Act 2018 transposed the EU General Data Protection Regulation (EU GDPR) to become UK GDPR. Further codes and regulations apply, for example in relation to processing of children’s personal data, processing of biometric personal data, and use of AI. Regulations also apply to use of cookies and direct marketing.
Whilst in this article we will focus primarily on UK GDPR, we will come back to the other topics in further articles.
2. What is personal data?
Personal data is defined broadly and comprises data relating to any living individual who can be identified from that data either directly or indirectly.
It includes information such as: names, addresses, social security or other national identification numbers, telephone numbers, health information (of, for example, customers and employees), location data and online identifiers.
3. Who needs to comply?
All organisations which process personal data in the UK must comply with UK GDPR. UK GDPR also applies to organisations based outside of the UK which offer goods or services to individuals in the UK.
There are two types of organisations:
- controllers: who decide what information should be collected and the purpose or outcome of processing that information; and
- processors: who follow the instructions of somebody else in relation to data processing.
UK GDPR applies to both controllers and processors, but different requirements apply to each, with controllers having the highest level of responsibility. In practice most businesses will be controllers in relation to some of their data processing activities and processors in relation to other activities.
4. Check if you need to register the business with the ICO
Most small businesses must register as controllers with the Information Commissioner’s Office (the ICO) and pay a data protection fee (which for most small businesses is £40 a year). There is no minimum financial threshold or minimum number of employees which determines this.
Failure to comply can incur a fine of £4,000. The ICO undertakes routine checks against Companies House records to identify whether there are any companies which may need to register but have not yet done so. Non-registration can also lead to the ICO deciding to undertake a wider investigation or audit of the data processing practices.
To determine if your business needs to register and to register your business, you can use the ICO’s data protection fee self-assessment tool here.
5. Comply with the six key data protection principles
UK GDPR requires that you abide by six key principles. These principles require that personal data is:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purpose(s) for which it is processed;
- accurate and up to date;
- not kept in an identifiable form for longer than is necessary for the purpose(s) for which it is processed; and
- kept secure using appropriate technical and organisational measures.
You need to keep these principles in mind in respect of all of your data processing activities.
In addition, personal data must be processed in line with individuals’ rights and not transferred to countries outside the UK without adequate protection. This will include using a data hosting facility located outside of the UK. At the current time the UK and EU have arrangements in place to recognise each other, which allows for data to be transferred freely between the UK and EU. There is also currently an arrangement between the UK and US, please see our article here.
6. Establish who will be responsible for data protection compliance within your business
As you grow your team, you will need to consider how data protection responsibilities will be managed within your business and by whom. For example, who will keep customer and staff records up-to-date and respond to data subject access requests (which we explore further in Data Protection by design and default – establish compliant business processes below)? Smaller businesses are likely to require external guidance from advisors with expertise in this area, such as to help with preparing key data protection documentation (see Prepare key documentation below).
Certain organisations are required to designate a data protection officer (DPO). A small organisation is unlikely to need a DPO, however you should identify who within the business will take responsibility for ensuring compliance and responding to any subject access requests and dealing with data breaches. As your business grows you should keep up to date with the ICO’s guidance regarding DPOs to determine if this requirement later applies to you.
You should also consider who will be responsible for information security within your business, to ensure that you have processes and infrastructure in place to protect personal data (such as by using encryption and training employees to avoid fraudulent emails).
We recommend researching the UK Government Cyber Essentials scheme and engaging with a cybersecurity expert to keep your business, your staff and your customer data safe from cyber attacks.
7. Identify the personal data that you will be collecting, and why you need this
The scope of data protection obligations that apply to your business will depend upon the categories of personal data that you collect and process. It is therefore important to identify all such categories. As mentioned above, personal data is very broadly defined pursuant to UK data protection law, and includes categories such as names, addresses, emails, telephone numbers, and bank or credit card details. It can also include more sensitive information, such as criminal records.
Once you have identified the categories of personal data that you are processing, you will need to be able to explain why you are processing it, and the lawful basis that you have for processing it. The ICO’s lawful basis interactive toolkit can be used to help determine the lawful basis.
8. Prepare key documentation
UK data protection law requires businesses to have certain key documentation in place, such as:
- Data Processing Agreements: Whenever an organisation provides personal data to a third party (for example, as part of outsourcing your operations or services), there must be a data processing agreement in place that documents certain key terms. You can ensure that a compliant version of this agreement is used and avoid negotiations down the line by having a template form of this ready to be shared with third parties that you work with. You should carefully consider which third parties personal data is shared with, and regularly audit this.
- Website Privacy Policy: This is displayed on your website, to provide users with key information regarding how you will collect, use and store their personal data when they interact with your website. The ICO’s website contains a privacy notice generator that can be used as a starting point. If you use cookies, you will also need a Cookie Policy to provide users with information and choice regarding your use of cookies.
- Data Protection Policy: This is an internal document which sets out the principles and legal conditions under UK data protection law that your business will need to satisfy when handling personal data.
- Employee Privacy Notice: This is an internal document that provides your employees with information regarding their rights in relation to personal data that your organisation processes and stores.
This documentation will need to be reviewed on an ongoing basis to ensure that it captures changes in data protection law and remains compliant.
9. Data Protection by design and default – establish compliant business processes
UK GDPR requires “data protection by design”, which means that you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated the principles of data protection into your processing activities and that individuals’ rights are safeguarded. The ICO explains that in essence, you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle. It is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the UK GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.
Certain business processes will need to be designed to ensure data protection compliance. For example, consider the following:
- If a customer contacts an employee asking a query related to data protection (such as requesting that their data is erased), how will this be escalated to the appropriate person to respond? If your business receives a subject access request (which is where an individual can ask you for a copy of any information that you have about them) (a SAR), you will be obliged to respond in a certain way and within certain timelines. Please see the ICO step-by-step guide on SAR’s for further information.
- Before a customer interacts with your website, have you drawn your use of any cookies to their attention and provided the customer with the option to select the cookies that will apply to them?
- Before you send marketing emails to a customer, have you obtained their consent for you to do so? The ICO website contains a direct marketing advice generator which provides guidance on using marketing in a compliant way.
10. Be prepared to respond to data breaches
If the personal data that your business holds is lost, disclosed, destroyed or altered without proper permission, this could amount to a personal data breach that may need to be reported to the ICO within 72 hours.
In addition, where a breach is likely to result in a high risk to the affected individuals, you must also inform those individuals without undue delay.
It is therefore important to have a procedure in place, that employees are aware about and that will be followed should a data breach occur. This includes maintaining an internal record of all personal data breaches or suspected personal data breaches.
At Michelmores, we frequently advise early-stage businesses on data protection compliance matters through MiVentures, an award-winning programme which is dedicated to giving extra support to innovative and scalable businesses.
For advice on the particular issues relating to compliance with data protection covered in this article, please contact Anne Todd, Moya Smith or other members of our Data Protection & Privacy team. Anne and Moya have both worked as in-house lawyers at large enterprise customers as well as on behalf of scale-up and SME suppliers. We have an experienced team of experts who can advise you on data breaches, subject access requests and claims brought in respect of data breaches.
This article is for general information only and does not, and is not intended to, amount to legal advice and should not be relied upon as such. If you have any questions relating to your particular circumstances, you should seek independent legal advice.
Authors
MAINstream Female Founders Pitch Event
Applications for this pitch event close Wednesday 16 April. We are delighted to announce the return of our annual MAINstream Female Founders event. Following the...
MAINstream Cheltenham Pitch Event
Applications for this pitch event close Wednesday 16 May 2025. Following the success of MAINstream South West, we are delighted to be launching MAINstream Cheltenham...
MAINstream South West Pitch & Drinks Event
Applications for this pitch event close Wednesday 4 June 2025. If you are interested in joining the network and attending our events please email mainstream@michelmores.com for further...