Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UK: ICO advises UK SMEs on data protection practices

The Information Commissioner's Office ('ICO') issued, on 23 January 2023, a press release in which it encouraged UK small-and-medium-sized businesses ('SMEs') to ensure they have the right data protection practices in place to help sustain and develop their businesses. In particular, the ICO stated that a suite of free resources for SMEs is available in the ICO's dedicated SME hub, and noted the following tips for businesses getting started in data protection:

  • make a list of what personal information you have or plan to collect - you need to be able to account for all of it; 
  • ask why - there's a balance to be made between what you want to do with people's personal information, the benefits that brings to them, and any harm that might be caused as a result; if you're holding or using people's personal information, it must always be fair, as well as lawful;
  • check that your security measures line up with the sensitivity of the information you hold and put stronger security measures in place if the data poses a higher risk or is sensitive;
  • be transparent - explain to people why you hold information about them, what you will do with it, and how long you will keep it before safely disposing of it, recorded in a privacy notice;
  • know about subject access requests - people have the legal right to know what personal information you hold about them, according to the ICO's step-by-step guide on how to deal with a subject access request;
  • have a data breach action plan in place - if you lose personal information and it is likely to result in a risk to the people affected, you will need to report to the ICO; and
  • check in with the ICO regularly.

In this regard, the ICO highlighted that its advice for businesses comes as it completes a pilot programme with up to 60 SMEs across the UK, in which it has been trialling a new training and development programme, named 'SME Data Essentials', which aims to empower organisations to become better equipped to manage their own data compliance.

Notably, the ICO specified that the pilot forms part of the ICO's new three-year strategic plan ('ICO25'), which details how the ICO will bring down the cost of compliance whilst enabling and supporting SMEs to invest, innovate, and grow.

You can read the press release here, more information on the ICO25 here, and the ICO's step-by-step guide here, and access the ICO's dedicated SME hub here.