The basics: Data Protection - What UK startups need to know

Online businesses often handle a significant amount of personal data. There is a significant amount of legislation around handling personal data and as a Director of your business you are responsible for handling this data correctly.

This article is not legal advice. Here I simply highlight some key issues that you need to be aware of.

The law

The UK Data Protection Act controls how personal data is used by organisations.

Personal data (or ‘personal information’) is information that can be used to identify a specific person. It's "any detail about a living individual that can be used on its own, or with other data, to identify them".

Someone's name for example is not enough to identify them as many people share the same name. However a name, if stored with that person's address and date of birth creates a data set that can identify an individual.

For further definitions, see;
[](Key definitions of the Data Protection Act) (ICO website)

Individuals have rights under law as to what personal data can be held on them and the ICO (Information Commissioners Office) is the UK's independent body set up to uphold information rights.

Everyone responsible for using data has to follow the following ‘data protection principles’....

You must make sure that information is:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • kept for no longer than is absolutely necessary
  • handled according to people’s data protection rights
  • kept safe and secure
  • not transferred outside the UK without adequate protection

What you need to do

At a very basic level, there are 3 main things you need to do

  1. Have a privacy policy
  2. Register with the ICO
  3. Protect personal data

1. Privacy policy

If you collect information about people they need to know who
you are and what you’re going to do with their information. To do this, you need a clear privacy policy on your website. Show this on every page (e.g. in the footer) and be sure to link to it clearly whenever you are collecting personal information (e.g in a shopping cart).

2. Register with the ICO

Most startups will process personal data in a way that requires them to register with the ICO as a data controller. Failure to register is a criminal offence.

Self assessment to see if you need to register with the ICO
Register with the ICO (costs £35)

3. Protect personal data

This is the most important point of all. Protecting personal data is your responsibility and this extends to data that is held physically as well as digitally.

Some examples;

  • your employee contracts contain personal data. They need to be stored securely. If printed, they need to be in a locked cupboard. If digitally, they must have restricted access
  • likewise, candidate CVs contain personal data. They must not be left lying around on desks and should be disposed of after use
  • do not share personal information you've collected with a third party without the explicit consent of the individual
  • ensure contracts with 3rd parties state their obligations with regards to handling personal data
  • think carefully about how you manage passwords and access to your core systems. Never share passwords that can access personal information
  • clear hard drives from laptops when disposing of them

Subscribe to

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.