Skip to main content
We’re here with practical legal information for your business. Learn about employment law, company law and more.

Search

  1. Home
  2. Data protection and IT
  3. Data protection

Starting up

Setting up a business involves complying with a range of legal requirements. Find out which ones apply to you and your new enterprise.

Sector specific law

What particular regulations do specific types of business (such as a hotel, or a printer, or a taxi firm) need to follow? We explain some of the key legal issues to consider for 200 types of business.

Business ownership and management

While poor governance can bring serious legal consequences, the law can also protect business owners and managers and help to prevent conflict.

Finance and business strategy

Whether you want to raise finance, join forces with someone else, buy or sell a business, it pays to be aware of the legal implications.

Employment law

From pay, hours and time off to discipline, grievance and hiring and firing employees, find out about your legal responsibilities as an employer.

Marketing and selling

Marketing matters. Marketing drives sales for businesses of all sizes by ensuring that customers think of their brand when they want to buy.

Contracts, disputes

Commercial disputes can prove time-consuming, stressful and expensive, but having robust legal agreements can help to prevent them from occurring.

Commercial premises law

Whether your business owns or rents premises, your legal liabilities can be substantial. Commercial property law is complex, but you can avoid common pitfalls.

Health and safety

With information and sound advice, living up to your legal responsibilities to safeguard your employees, customers and visitors need not be difficult or costly.

Data protection and IT

As information technology continues to evolve, legislation must also change. It affects everything from data protection and online selling to internet policies for employees.

Intellectual property

Intellectual property (IP) isn't solely relevant to larger businesses or those involved in developing innovative new products: all products have IP.

Exit strategies

Knowing how and when you plan to sell or relinquish control of your business can help you to make better decisions and achieve the best possible outcome.

Personal law

From bereavement, wills, inheritance, separation and divorce to selling a house, personal injury and traffic offences, learn more about your personal legal rights.

Data protection and IT

The EU General Data Protection Regulation (GDPR) regulates how your business processes personal information about living individuals. All businesses are required to comply with the six data protection principles.

Under the outgoing Data Protection Act 1998, you may also be required to notify the Information Commissioner of your data processing activities up until 25 May 2018 when the GDPR takes over. After that point, the notification requirement will cease; however, organisations processing personal data will still be required to pay a fee to the Information Commissioner’s Office.

Making sure that you understand and comply with data protection regulations helps protect your business against regulatory action.

The data protection principles

To comply with the data protection principles set out in the GDPR, you must only process personal information (for example, that of a customer or employee) when you have a fair and lawful reason. You must do this in a transparent manner (ie by keeping the data subject informed of what you are doing with their data, how long you will keep it, and with whom it will be shared, if anyone).

'Processing' covers practically anything that can be done with information - obtaining it, collecting it, sorting it, analysing it, discussing it, destroying it or even just filing it, whether through your business' IT systems, via CCTV or in a manual filing system.

You must limit your processing of personal information: only collecting the information you need, using it for specified purposes and deleting it when you no longer need it for those purposes.

You must also keep information up to date and hold it securely. There are restrictions on transferring personal data overseas, and you must take particular care with sensitive information (for example, details of an individual's ethnic origins or their health records).

Individuals have a range of rights under the GDPR:

  • The right to be informed. This includes details of how information is collected, from where, what it will be used for (and why), and how long it will be retained.
  • The right of access. Individuals have the right to ask to see the information you hold on them - known as a 'subject access request'. If you receive a request, you must normally respond within one month of receipt, and do so free of charge. This covers all data, whether it is held electronically, in paper form or in any other form.
  • The right to rectification. Individuals can require you to correct inaccurate information, or to complete it if it is incomplete.
  • The right to be forgotten. Individuals can require you to delete (or otherwise dispose of) the personal information that you hold about them (subject to limited exceptions).
  • The right to restrict processing. Individuals can, in some circumstances, request that you restrict your processing of their information. It can still be stored, but not processed.
  • The right to data portability. This allows individuals to obtain a copy of their personal information for re-use with other services.
  • The right to object to processing. Individuals can object to you processing their personal data for certain purposes or on certain grounds (subject to limited exceptions).
  • Rights relating to automated decision-making and profiling. If this type of processing is to be carried out, specific conditions will apply (eg it must be necessary for the entry into, or performance of, a contract, or you must have the individual’s explicit consent). In addition, individuals affected by such processing must be given information about it and be given easy ways to request human intervention or challenge a decision.

Data protection fee

Under the outgoing Data Protection Act, any business processing personal information was required to register with the Information Commissioner (subject to exemptions) and to pay a fee determined by size and turnover.

Under the GDPR, however, there is no registration requirement, but a fee remains payable. For very small organisations, the fee will be £40, for SMEs, £60, and for large organisations (with more than 250 staff and a turnover exceeding £36m), the fee will be £2,900.