bCentral Home
Your Online Business Center

Data protection

It sounds boring, but it isn't too painful, and can safeguard your business

Data protection sounds boring, because it's not a key part of your business. You probably don't lie awake worrying about it. But ignore it and you could end up with a hefty fine, find yourself unable to secure funding or sell your business for its true value. Take the time to understand the basics of data protection legislation for the sake of your business.

Avoid data doom

Andrew Wooley So what are the real implications to your company?

"Many business owners are not aware of the effect the Data Protection regulations may have on how much they can sell their business for and what they can borrow," says Andrew Woolley of Woolley & Co.

"For e-commerce businesses, and many others too, a key asset is almost bound to be the customer or contacts database (the "data"). A common misconception within the realms of data protection is that all you need to do is register with the DPA and have any old policy on a website.

"I've seen a person who's started a small website with no data protection in place, except for registering. He had a privacy policy knocked together by their web designer which, like many others, said, "We will not sell your data to anyone". His business went very well and he collected lots of data. A larger company wanted to buy the business. Their lawyers were horrified to see the privacy policy wording and subsequently the data couldn't be sold, so he lost about �1 million."

Further to this, lenders will want to look at the value of your business and what they could get for your it if it had to be sold.

Gill Hunt You never know when you might need your data protection policy, as Gill Hunt of Skillfair.co.uk found out.

"When I set up Skillfair, data protection wasn't exactly high on the agenda," admits Gill. "But I did get nagged into registering with the Information Commissioner which prompted me to put together a privacy policy which is clearly shown when people register with us. However, that this isn't just a theoretical exercise - a fact which was brought home to me a few months ago. A consultant who's been registered with us for a year emailed to ask what details we held on him. Luckily we were able to send him a copy of the privacy policy and all the details we hold as detailed in the policy!

"What I learned from the experience is there's always someone out there who'll test your procedures - so make sure you have some and know what to do when they ask!"

Registering with the Information Commissioner

You may be exempt from registering with the Information Commissioner's Office if you only process people's personal data for personnel purposes, advertising and PR activities or for accounts and records. However, Andrew Woolley suggests small business owners should assume they need to register: "You soon will if you don't already."

Notification costs �35 and must be renewed annually. And if you are not exempt from notifying the Information Commissioner but fail to do so, you are liable now to pay fines up to �5,000 per offence plus costs. Liability can extend to the company and to individuals, which means if a company commits a criminal offence under the Act, any director or manager can be found guilty too.

Beware the scams: There are several bogus companies who use new company registration data to send you a demand for data protection registration. These are fake and should be ignored. The Information Commissioner is the only body responsible for data protection registration, and keeps a list of known bogus companies.

If you are exempt, you still need to keep data safe and abide by the key rules of data protection. To avoid any problems down the line, here are some key considerations:

Spend time on your privacy policy to get the wording right.

Register with the Information Commissioner.

Train staff to handle data reliably and remind them it is a criminal offence to pass it on.

Get consent. "A mere link to the policy on your website is not enough," says Andrew. If you run a newsletter or are thinking of doing so, you must "get agreement to send it from the recipients, and provide a clear (and working) unsubscribe option in any communication."

Do only what you say you will do with customer data, as by law data must only be processed for one or more specified purposes.

Keep adequate, accurate, relevant and "not excessive" data and keep it only as long as is necessary.

Always keep your data safe and secure.

As Gill Hunt discovered, you must also provide individuals with a copy of all the information you hold on them if they make a written request for it. You can charge a fee of up to �10 for this. If they ask you to stop using their data for direct marketing purposes, you must do so.

It actually isn't too painful - and much of the regulation amounts to the protection you'd want people to take with your personal details too. By keeping to a few relatively simple rules, you can protect and safeguard not only those whose data you hold, but also your own business's future.

��Like what you've read? Try our free newsletters.

What next?

Visit the Information Commissioner's website for more information and advice.

Read our security bulletins for information and advice to help you safeguard your data.

Data Protection is one area where you can feel like you're drowning in red tape. Order our free guide to overcoming bureaucracy and regulation and learn how to spend more time actually running your company.


Sign into Microsoft Small Business+ for free web-based training and software support.

sign in
Security information

Find a local Microsoft Small Business Specialist to help with your IT needs

Microsoft Small Business SpecialistMore info >

What do you want your PC to help you with?

What do you want your PC to help you with?









Free business newsletters - subscribe now

Our free newsletters are packed full of business advice and ideas - plus all the latest news

Security information

Get the latest bulletins and updates direct from Microsoft