Skip to content

Six Key Privacy Tips for New Businesses in England

Table of Contents

New business owners must be aware of the privacy requirements to avoid unintentionally breaching them. Since the introduction of the General Data Protection Regulation (GDPR), there has been a renewed focus on ensuring good privacy practices by businesses in England. This applies to new and existing companies. This article will explore six privacy tips for any new business in England, so your organisation can establish proper privacy practices and avoid unintentional breaches of the GDPR.

Why is Privacy Compliance Important?

Privacy compliance is vital because all new and current businesses in England must comply with the relevant rules, which include the GDPR. If your organisation fails to ensure good GDPR compliance, it will risk a fine from the Information Commissioner’s Office (ICO). The ICO has the authority to fine organisations in England up to £17.5m for a breach of GDPR rules, so your business should comply with data protection and privacy rules.

Therefore, with this in mind, let us explore six essential privacy tips for new businesses in England.

1. Implement a Privacy Policy

A privacy policy is a document in which your company explains what information it plans to collect, how it intends to use that information and whether it will disclose it to any third parties. It is crucial to have a thorough privacy policy if your business intends to collect and use personal information such as:

  • postal addresses;
  • email addresses;
  • telephone numbers; and
  • dates of birth.

Your company should ensure potential customers can easily locate and access the privacy policy and that a copy is available on your website. Failure to do so is a possible breach of the GDPR, particularly if your business is likely to record sensitive or personal information.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. Only Collect Essential Personal Information 

While this may sound obvious, many business owners collect too much information. Subsequently, they may encounter issues with the ICO due to collecting irrelevant information in breach of the GDPR. For example, suppose you post items to customers through your website. You can safely collect an individual’s telephone number and email address (to update them on progress) and their postal address (to deliver the item). However, there would be no lawful purpose for requiring their national insurance number or date of birth.

3. Process Personal Data for Lawful Purposes

The GDPR only allows your business to record personal information from individuals to comply with legal obligations or carry out the service agreed with the individual. Any information beyond this scope requires the individual’s consent in advance.

For example, if you obtain an individual’s home address and telephone number to send an item by post, you cannot sell those details to a third party. Your company may only do so if that individual consents to you sharing their personal information with other parties. The obvious exception would be a disclosure that aids your business with them. For example, you may share their name and home address with the postal service delivering their item.

4. Safely Store and Protect All Personal Data

One of the main requirements within the GDPR is to store personal information securely and safely. This means implementing adequate safeguards to prevent data theft. 

Standard cybersecurity measures include:

  • using robust antivirus software;
  • setting up two-factor authentication for important accounts and systems;
  • using strong passwords on systems and software programs; 
  • encryption for sensitive and valuable information; and
  • carrying out regular data protection audits to test system security.

5. Regularly Train Staff on Data Protection and Privacy

Many system breaches result from employee error. For example, an employee may click on a suspicious link and allow a virus to spread through your computer network.

Therefore, it is crucial to regularly train staff on:

  • good cybersecurity practice;
  • how to spot suspicious emails, links and websites;
  • the need to carry out virus checks on physical media (such as USB drives or CDs) before plugging them directly into your live system;
  • safe ways of recording and storing customer information; and 
  • when to delete information.

6. Carry Out Regular Privacy Audits

A privacy audit is a process whereby your business reviews its existing privacy documents, including privacy policies.

It is good practice to regularly review the wording of a privacy policy to ensure it remains accurate and updating it to reflect any changes.

A good privacy audit should also assess risks in how your company records and stores data. This applies whether you store data on physical hard drives (which may risk theft or hardware failure) or on the cloud (which faces a more significant risk of cyber intrusion).

Key Takeaways

Starting a new business is an exciting time, and it is essential to implement the correct data protection policies and procedures from the beginning. This can be invaluable in protecting important information and guarding against cyber attacks. As the ICO can issue significant fines, it is in your commercial interest to comply with data protection rules. 

If you need help with privacy rules and ensuring a robust IT system, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Why is a privacy policy so important?

Because it is the primary legal document in which your business explains the information it will collect from its customers. Informing individuals upfront about what you intend to do with their personal information is a core tenet of the GDPR and failing to do so risks a substantial ICO fine.

Would the ICO provide a new business with a fine or warning?

While the ICO accounts for mitigating circumstances when responding to a GDPR breach, they are prepared to fine new businesses. The level of any fine depends on the (potential) harm to individuals rather than the company’s age. 

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards