Holding Customer Data - is your business compliant?

The Data Protection Act and your business

If you hold and process information about customers, employees or suppliers, you are legally obliged to protect that information under the Data Protection Act 1998. ‘Information’ essentially means any data about a living person such as name, address, date of birth, opinions about the person or any other information from which the individual can be identified. ‘Holding or processing’ carries a very wide definition and broadly refers to storing, obtaining, disclosing, recording, using, erasing, or virtually any action concerning the data which is carried out on computer.

Under the Act, a business or organisation must:

  • only collect information that is needed for a specific purpose
  • keep it secure
  • ensure it is relevant and up-to-date
  • only hold as much as is needed, and only for as long as it is needed
  • allow the subject of the information to see it upon request.

A compliance checklist

Compliance with the law involves following eight data protectionprinciples.

Here are some of the key questions to consider:

Do I need to notify the ICO?

Most businesses processing personal information as ‘datacontrollers’ are required to register with the Information Commissioner’s Office (ICO) and pay an annual notification fee.

The exact cost depends on size and turnover, but for the majorityof organisations the fee is £35. You should always register with the ICO directly.

Should I really keep this information?

When assessing whether the data you are capturing is compliant,you should be confident that it is necessary for your specificbusiness purpose, that it is accurate and up-to-date, and that theperson can see the data if he or she asks for it.

Is the information I hold secure?

Ensuring your IT systems are secure is of paramount importance – and that means the physical security of your servers as well as software security such as antivirus and firewalls.

Am I handling employee data correctly?

The Data Protection Act doesn’t just apply to customer information, it also applies to employees. For example, if you want to put information about staff on your website you should consult them first; and should you wish to monitor their emails you should make this clear and explain why.

Next steps

If you haven’t already done so, it may be beneficial to draw up a company policy on data protection and communicate it to all employees.

As well as being a legal requirement, a good data policy can benefit your business. Sending out mailshots to out-of-date records is not cost-effective, while good information handling may increase customer confidence in your business and help your reputation. So drawing up a sound data protection policy – or reviewing the one you have in place – is well worth the effort.

The Data Protection Act can be a complex area for small businesses. Further advice is available on the ICO website –


View or download our full newsletter here >