Skip to Content

Legal Requirements for Storing Business Information

The GDPR regulation of May 25th, 2018 provided much-needed improvements to the Data Protection Act (DPA) of 1998 and 2018. For quite some time, it was believed by many to be long overdue since the DPA 1998 was no longer considered fit for the purpose for which it was originally designed.

“The guidelines under the Data Protection Act 2018 stated that a business in the United Kingdom that is collecting, storing or processing an individual’s details and information is expected to adhere to the regulations as defined by the Data Protection Act of 2018. For businesses that did not adhere to these regulations, fines could be issued to the organisations of up to £500,000 for failure to comply with the Data Protection Act 2018.”

In the United Kingdom, any fines issued under the DPA 2018 were more or less for data breaches and very often not issued. Breach of Data Protection Act 2018 can take place if there is a misuse of personal data, illegal processing of personal data, or if a person is unaware that his/her data is in use for online marketing or any other marketing purposes for which the user did not provide their consent to the organisation.

The Data Protection Act 2018 applies to every business and organisation based in the UK which processes an individual’s personal data and information. A set of guidelines, mainly for self-management, are available for businesses. The Data Protection Act is really wide-ranging. It is not limited to a specific kind of business, or even business in general – even private individuals can be bound by its regulations if they use data in certain ways.

Business information, as it comes under the Data Protection Act, also relates to a company’s employees. It includes such processes as recruiting staff and making sure staff records are secure, protected and not available for use for any purpose other than for that which they are intended. The legal requirements also cover such activities as marketing products and services, and CCTVs and the way it’s used.

However, the Act only applies if you put or intend to put this information on a computer in some way, – so if you’re one of the very few businesses that don’t use a computer to store information, then it won’t apply to you. Also note that the ICO reserves the right to issue extremely heavy penalties to companies not abiding by the legal requirements of storing business information– it can issue penalty notices of up to £500,000, and undertake criminal prosecutions for the most serious offenders.

Unless you maliciously breach the Act or deal incompetently with personal information, it is quite rare that such heavy penalties will be imposed. The Department of Justice in Northern Ireland was fined after it sold a filing cabinet containing the details of a terrorist incident at auction, which should give you an idea of the kind of incident the ICO deems fit for serious penalties.

Note that a vast majority of incidents are dealt with by what is known as an enforcement notice, in which the ICO contacts the offending company and requires them to take specific steps to comply, usually by simply stopping whatever they are doing.

8 Basic Principles of Data Protection in the UK

Note that to stay within the law once you’ve registered, you need to comply with these eight principles that has to do with storage and use of data as outlined in the Data Protection Act. Anyone processing personal data is expected to comply with these eight principles to avoid being on the wrong side of the law. These principles include;

1. Under the Data Protection Act, Data is expected to be processed fairly and lawfully in practice

This means you shouldn’t mislead, coerce, or bribe your customers into giving away their personal data. Note that this condition requires you to be explicitly clear on what data you are collecting, why you are collecting it, and what it should be used for.

In the United Kingdom, most businesses take care of this by making customers sign or tick what’s generally known as a ‘privacy notice’. The ICO has produced a helpful checklist on the Data Protection Act, specifically produced for small businesses, which contains guidance on how you can draft a privacy notice.

The first principle also requires you to meet at least one of the ‘conditions for processing’ when using personal information in any way. More restrictive conditions also apply to ‘sensitive’ personal information, such as information on a person’s religious beliefs or sexual orientation.

2. Data is expected to only be obtained for specified and lawful purposes

And processed in a manner which is compatible with those purposes. Notably, it is expected to be made clear to the user/customer/potential customer at the start what your business will be using the data for and why it is being collected.

Any new purpose you use the data for should be broadly in line with the original purpose. So, for example, if you run a courier business, you shouldn’t start using your customers’ addresses to send them unsolicited marketing material.

3. Data is expected to be adequate, relevant and not excessive in relation to the purpose for which it is processed.

You are expected to be clear as to the type of information you wish on customers or potential customers and why, e.g. name, address and any personal details. This includes information taken electronically, e.g. from e-commerce transactions. Also make sure that you take the data protection principles into account when storing customer data.

4. Personal data is expected to be accurate, and where necessary, kept up-to-date. Again, this principle more or less speaks for itself.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes. Always make sure to securely delete/dispose of the data when you no longer need it.

6. Personal data shall be processed in accordance with the rights of data under this Act

Customers have a right to access a complete copy of the information you hold on them, under something known as a subject access request. Other rights they have include a right to stop your business doing anything that may cause them damage or distress, a right to stop you using their information for direct marketing, and a right to claim compensation caused by breaking Data Protection Act regulations.

7. Appropriate technical and organisational security measures are expected to be taken to prevent unauthorised or unlawful processing, accidental loss of or damage to personal data.

You are also expected to keep any personal data you hold secure and it cannot be compromised, accidentally or deliberately. The Act notes that you should have security that is ‘appropriate’ to both the nature of the information, and the harm that may result from its improper use.

This doesn’t necessarily mean having state-of-the-art military grade security software, but the measures you take should be in line with the risk to your company. It’s important to remember that the IT security solution you choose isn’t the end of the story, either. Keep as much data restricted as possible and only authorise the people you need to – don’t go giving the office intern access to your customers’ credit card details.

8. Personal data shall not be transferred to a country or territory outside the EEA (European Economic Area) unless that country or territory ensures an adequate level of protection.

This is particularly required if you are a hosting or cloud-based storage company, which may store large amounts of data overseas. You should keep personal details within Europe at all costs as the number of countries considered as having an ‘adequate’ level of protection is actually quite limited; the European Commission has listed only 10 countries, of which the USA is not one (although sending data to companies operating under the voluntary ‘Safe Harbor’ arrangement is considered acceptable).


Changes in the way human beings engage in commercial activity, the rapid rise of online communications and the increase in the virtual nature of business, home and social life resulted in the need for a revised legislative system. The actions undertaken by all businesses in the UK are subject to the Data Protection Act of 2018.

This allows individuals to be in control of their own information. The act ensures better safety provisions for people whose sensitive information may be shared or used. The data protection act outlines and prescribes ways to address data privacy in the digital world. It stipulates that information must flow with ease, and without discomfort.