Skip to content

The Information Commissioner’s Office (ICO) is the UK Data Regulator. They have issued some new guidance regarding COVID-19 which explains how they will help businesses with GDPR and Data Protection compliance during the crisis. However, the new guidance presupposes that a business understands the data protection rules and is already compliant.

In our experience as a Law firm advising SME and especially start-up businesses, we find that Data Protection is often misunderstood, shrouded in mystery, myths and media hype which leads many businesses astray. This short blog is designed to help de-mystify the basics and offers guidance on where to find additional help without incurring additional costs to the business.

When starting a business, there are many things to do to ensure your ‘Ducks are in a row’. These things are all important but none more so than ones, which if you forget to do them can generate a fine or a reputational issue for your fledgling business. The very last thing a new business needs is an Online ‘Naming & Shaming’ by a Government body.

The first thing to understand is that Data Protection applies to EVERY organisation, even small sole traders, partnerships, Limited Companies and Charities. The Law says that prior to processing your very first piece of data the Company must comply with the Regulations.

One of the greatest misunderstandings we encounter is that data protection rules only apply to Online trading or computer-based businesses. In fact, Cyber security and website data protection is only a supplement to your primary data protection policies and documentation.

Here is a short checklist based on the methods we use to confirm data protection compliance when a client contacts us.

There are 3 basic requirements to achieve compliance:

  1. Has the Company registered with the Regulator?
  2. Has the Company carried out a formal assessment of its Data Protection needs. (A Data Audit)
  3. Has the Company written a series of bespoke data protection policies for their business based on their Data Audit. NB: Bespoke means written specifically for you, not copied from someone else’s business where you just changed the Company name on the documents!

If you can honestly say yes to those 3 questions you will be well on the way to compliance. There are other considerations of course, such as staff training, international trade, using external data processors, etc. However, as with most things, a good foundation of the basics is the place to begin.

The good news is that there is plenty of advice and assistance to help you comply with the Regulations.

The Information Commissioner’s Office (ICO) website has masses of information.

Transition Law offers a free telephone advice helpline for small businesses which includes a written report on your current situation. Once your business is compliant, there is an accreditation scheme to demonstrate your compliance status. The scheme is called S.H.I.E.L.D. and is free of charge to any compliant business. There are more details about S.H.I.E.L.D. available on the

Visit the Transition Law website or follow on LinkedIn