Data Protection: a guide for small businesses and start-ups

data protection, data privacy laws

For small online businesses and start-ups collecting data for marketing and sales communications is essential and therefore good quality data is highly valuable. However, there are specific rules and regulations in place that govern how you collect, keep and use data. It is important you familiarise yourself with these since, the last thing you want is to upset customers or face any hefty fines.

This is post provides a basic overview, but I have added in a list of  useful links at the bottom that will enable you to examine the regulations on more depth and look up specifics relevant to your business.

In the UK there are two key acts you should be aware of  concerning data collection, processing and dissemination.

1. Data Protection Act 1998

2. Privacy and Electronic Communications Regulation Act

These basically concern how you:

Obtain ‘personal data’

from your data subject (eg. customer, visitor to your website, prospect). Your data subject should be understand why they are handing over their data and how it will be used.

Process and store personal data 

(modify, keep secure and delete data)

Use personal data


1. Data Protection Act 1998

“Data Protection Legislation is enacted to protect the individual, to protect their privacy and prevent the misuse of their personal data” (Chaffey et al, 2009 p.141).

The Data Protection Act 1998 (DPA) effects how you can collect and use data. In the UK, any company that holds personal data on file needs to register with the data protection registrar.  Some small businesses are exempt from registering – you can find out whether you are exempt by taking the ICO’s (Information Commissionaire’s Office) online self assessment questionnaire .

The Information Commissioner has an excellent overview and checklist specifically for small businesses Data Protection Checklists for Small Businesses and SME’s.

There are 8 key principles of the 1998 Data Protection Act which can be summarised as follows.

  1. Personal data shall be processed fairly and lawfully. Essentially this is a code of practice  that the Information Commissioner suggests to ensure fair and legal data processing. A quick summary of the code includes the following: companies should have a person ‘data controller’ who has overall responsibility for data protection. If you are a small business or sole trader this is likely to be you. Any communications should clearly detail how a ‘data subject’ (e.g a customer) can get in contact with the data controller or their representative. The ‘data subject’ must have given consent prior to any data processing.  Sensitive personal data should be treated with particular care (eg. ethnic origin, religious or political beliefs)
  2. Personal data shall be obtained for only one or more specified and lawful purposes.  You must make it clear at the point of collection how you intend process and use the information. For example whether you are using it for further communications and whether the data will be passed on to any third parties.
  3. Personal data shall be adequate, relevant and not excessive. This is really a balance between what information you need as a company to better understand your customers and not taking advantage of your data subjects rights.
  4. Personal data shall be accurate and where necessary, kept up-to-date.  It is essential that you keep your data accurate (think about how the data is inputted – many mistakes can come from inaccurate keying in) and up-to-date. So if a data subject contacts you with any changes to their personal details, those changes should be implemented quickly.
  5. Personal data shall not be  kept longer than necessary. If your relationship with the data subject ends then you must delete their data. This is a slightly woolly area so I would suggest you use your common sense – for example if you have held the data for years but feel there is a possibility that the data subject will buy from you then the information is still useful. However if the data subject has had no contact for 10 years then perhaps you need to think about deleting it – don’t forget a clean, up-to-date database is likely to be better performing anyway.
  6. Personal data shall be processed in accordance with the data subject’s rights. This concerns the protecting the rights of the data subject with regard to how their data is processed. Examples include,  an individual can request to view personal data held by an organisation (which must be supplied within a 40 day period), data processing should not cause distress ( for example sending out mailshots to someone who has passed away) and unsolicited phone calls or email.
  7. Appropriate technical  and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage. This is about ensuring that the data you hold is protected by the necessary security measures that will prevent any unauthorised access to the data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic area unless that country ensures an adequate level of protection. Essentially this means that you cannot transfer data to countries outside Europe if they do not have appropriate data processing laws in place – such as anti-spam legislation and regulations surrounding privacy and electronic communications.


data protection, marketing consent2. Privacy and Electronic Communications Regulations Act

In 2002, to further support 1998’s Data Protection Act, specific regulations were introduced to protect consumers with regard to controlling the distribution of electronic communications (eg email and SMS).  There are regulations specific to the type communications you are looking at so it is important to take a look at the Act in full. However some key points of importance here include:



  • Having an Opt out / unsubscribe  option in all communications. Customers should be able to unsubscribe from future communications quickly and easily. For example, you should always include a clear unsubscribe option on all your communications and ensure this is followed up by suppressing any such opt-outs on your database.
  • Contact details must be provided. You must by law, have a contact details by way a recipient can get in contact – such as a valid address or phone number.
  • The sender must be clearly identifiable. Essentially you should in no way attempt to conceal or disguise your identity.
  • For unsolicited electronic communications the recipient must have given prior consent.  Often you see this implemented at the at the sign up stage with a simple tick box where the recipient can choose to Opt-in (he/she proactively consents to receive further information) or Opt-Out ( he/she refuses the offer to receive further information). For example:

Would you like to receive further communications by email Yes 〈  〉  No 〈  〉

As we mentioned earlier it is worth reading the regulations as there are slightly different rules for individual subscribers, company subscribers and existing customers, so check what is applicable to your business. For example existing customers you can use what is known as a ‘soft opt-in’ which differs from the formal ‘opt-in’. This is where you can send emails or SMS messages if you have:

  1.  obtained their contact details from a sale (or sales negotiation) of a product or service
  2. you are only marketing to them about similar products or services
  3. you gave them the option to opt-out of the marketing when you first collected their details and give them the opportunity to opt-out (unsubscribe) in subsequent communications.   

Also, this guide focuses on regulations within the UK, so if you are outside the UK then you need to look at the  regulations for your own country for example in the US there is the CAN-SMAM Act 2003. A useful summary of spam and privacy regulations for individual countries can be found at .

Finally it is also quickly worth mentioning the CAP UK Advertising codes. This code stipulates a number of rules of best practice concerning advertising, sales promotion and direct marketing.  Such as being responsible, non-offensive and not misleading. It also has more specific rules pertaining to specific industries and advertising to children. Again, it is something worth taking a look at.

Hopefully this should give you a brief overview of  key data-protection and privacy regulations in the UK. Outlined below are some useful links that will provide you with further, more-in depth reading.

Useful references Getting it right. A brief guide to data protection for small businesses

Information Commissioner – Data Protection Principles :

ICO Marketing Guidance for Privacy and Electronic Communications

Direct marketing, Data Protection Act and Privacy and Electronic Communications Regulations

Guide to Privacy and Electronic Communications

The Data Protection Act 

Committees of Advertising Practice (CAP),  UK Advertising Codes

Email Marketing – When to use opt-in and when to use opt-out

Spam Laws Guide to different countries regulations


We’d love to hear your thoughts and experiences on this post, so please do leave a comment