shaw gibbs - accountants and business advisers
accountants & business advisers

Have a question? Like to know more? - Contact us or Call 01865 292200 or 020 7436 4773, Mon-Fri 8:15am - 5:15pm

*Initial meeting is free of charge

To latest news
news article default image

Holding customer data – is your business compliant?

28 Sep 2015

2 minute read

If your business captures or handles information about people, then you need to make sure you comply with the strict rules governing data protection. Here are some pointers for staying on the right side of the law...

The Data Protection Act and your business

If you hold and process information about customers, employees or suppliers, you are legally obliged to protect that information under the Data Protection Act 1998. ‘Information’ essentially means any data about a living person such as name, address, date of birth, opinions about the person or any other information from which the individual can be identified. ‘Holding or processing’ carries a very wide definition and broadly refers to storing, obtaining, disclosing, recording, using, erasing, or virtually any action concerning the data which is carried out on computer.

Under the Act, a business or organisation must:

  • only collect information that is needed for a specific purpose
  • keep it secure
  • ensure it is relevant and up-to-date
  • only hold as much as is needed, and only for as long as it is needed
  • allow the subject of the information to see it upon request.

A compliance checklist

Compliance with the law involves following eight data protection principles. Here are some of the key questions to consider:

Do I need to notify the ICO?

Most businesses processing personal information as ‘data controllers’ are required to register with the Information Commissioner’s Office (ICO) and pay an annual notification fee. The exact cost depends on size and turnover, but for the majority of organisations the fee is £35. You should always register with the ICO directly.

Should I really keep this information?

When assessing whether the data you are capturing is compliant, you should be confident that it is necessary for your specific business purpose, that it is accurate and up-to-date, and that the person can see the data if he or she asks for it.

Is the information I hold secure?

Ensuring your IT systems are secure is of paramount importance – and that means the physical security of your servers as well as software security such as antivirus and firewalls.

Am I handling employee data correctly?

The Data Protection Act doesn’t just apply to customer information, it also applies to employees. For example, if you want to put information about staff on your website you should consult them first; and should you wish to monitor their emails you should make this clear and explain why.

Next steps

If you haven’t already done so, it may be beneficial to draw up a company policy on data protection and communicate it to all employees.

As well as being a legal requirement, a good data policy can benefit your business. Sending out mailshots to out-of-date records is not cost-effective, while good information handling may increase customer confidence in your business and help your reputation. So drawing up a sound data protection policy – or reviewing the one you have in place – is well worth the effort.

The Data Protection Act can be a complex area for small businesses. Further advice is available on the ICO website –

news article default image

For more info contact us:

01865 292200

© 2018 Shaw Gibbs Ltd

Your registration