Are the data protection rules relevant to small businesses?

Yes. The UK’s data protection rules apply to all businesses (including small- and medium-sized enterprises) and organisations (including charities) in the UK that process personal data, regardless of their size; start-ups must comply with all of the rules as well.

What is data protection?

Data protection rules regulate the ways in which personal data can be used (or 'processed'). The persons to whom the personal data relates (known as 'data subjects') are given various rights in connection with the use of their information, and the rules ultimately limit the way in which the information can be used by organisations without providing appropriate levels of information to the data subject and ensuring there is a legal basis for the processing.

Why is it important to comply?

Increasingly, consumers and employees expect a high standard of protection for their personal data. Breaches of the rules and/or any loss of misuse of data, can result in reputational damage that be costly to a business. Additionally, breach of the data protection rules can result in administrative fines and/or private actions for compensation by individuals (more information is provided below).

Fundamental concepts (a glossary):

• Personal Data: any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier (e.g., name, ID or tax number, location data, etc.).
• Special categories of data / sensitive data: includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, plus biometric/genetic data and data relating to criminal offences.
• Processing: any use of personal data such as obtaining, collecting, recording, filing, disclosing, editing, amending, organising or erasing personal data.
• Data Controller vs. Data Processor:
  • 'Data controller' means a person who (either alone or jointly with others) determines the purposes for which or the means by which, personal data is processed. This could be, for example, you and your employees if you are managing the data for your business internally.
  • 'Data processor' means a person who processes personal data on behalf of the controller (under the data controller’s instruction) – often, third-party service providers (a.k.a. vendors). This could be, for example, a company or person you pay who is not an employee who processes your business's data.
• Data Subject: The individual who is the subject of the personal data. This could be, for example, a customer whose contact details you're storing.
• Information Commissioner’s Office (the 'ICO') means the UK data protection regulator.

Enforcement Action

Regulators use to a two-tiered structure of penalties. The most severe data breaches fall into the higher tier, with the potential of fines of up to €20 million, or 4% of global annual turnover, whichever is higher. The lower tier carries a maximum fine of €10 million, or 2% of annual turnover. Fines up to the statutory maximum are not likely to be given unless non-compliance is very severe or results in real harm to data subjects. Alternative enforcement action by the ICO could include a temporary or permanent ban on processing.

In the event of non-compliance with data protection laws, individuals may be able to claim compensation (from either the data processor or the data controller) if they’ve suffered material or immaterial damage.

Overarching principles – what do I need to keep in mind when I process personal data?

UK data protection law is built upon the following overarching principles. While businesses also need to adhere to specific requirements under the law, the principles described below must generally be complied with whenever personal data is used.