Our application portal will be closed for essential upgrades from 24th March until 28th April
During this time you will not be able to start or submit an application. Any applications that have not been submitted by 11.59pm on 24th March will be lost. You can start a new application when the portal reopens.
The below checklist outlines some key data protection considerations for early-stage businesses in the UK
(Note that this checklist focuses on compliance with UK data protection laws. If you process personal data of individuals outside of the UK, you will need to consider additional data protection laws.)
The regulator for data protection in the UK is the Information Commissioner’s Office (ICO).
The ICO’s website contains very useful guidance about how to comply with UK data protection laws.
Specific advice for small to medium-sized organisations.
Personal data includes any information which directly (e.g., name, address, email address) or indirectly (e.g., IP address, device ID) identifies an individual.
Data protection laws apply only to the processing (i.e., collection, use, and sharing) of personal data.
If you do not collect any personal data (or data is anonymised), you will not need to consider data protection compliance further.
Note that most small organisations will process some personal data. If you are unsure, use the ICO’s self-assessment tool.
If you collect personal data, you must identify the steps to comply with applicable data protection laws.
Once you have identified that you process personal data, you will need to establish your legal obligations in connection with the personal data you handle.
Your obligations will differ depending on whether you act as a “controller” or “processor” of personal data.
You are the ultimate decision maker, determining the “why” and “how” of processing personal data.
Example: Collecting customers' names and emails to provide your service.
Use the ICO’s Controller self-assessment tool if unsure.
You process personal data on behalf of a data controller, acting only on their instructions.
Example: A printing company producing invites for a gym.
Use the ICO’s Processor self-assessment tool if unsure.
Two data controllers working together on the same project may be joint controllers, jointly determining the “why” and “how.”
ICO guide to controllers and processors
If you are acting as a data controller, consider the following:
The ICO requires certain organisations to register and pay an annual fee.
Check the requirement using the ICO’s tool.
You need a valid reason (lawful basis) to collect and process personal data.
There are six bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Use the ICO’s lawful basis checker.
Keep a record of the data you collect, why you collect it, how you use it, and who you share it with.
Only collect necessary personal data.
ICO guidance on data mapping.
Inform individuals why you need their data and how you use it through a privacy notice.
ICO’s privacy notice guidance.
Individuals have rights regarding their personal data, such as requesting access, deletion, or changes.
ICO guide to individual rights.
Implement practical measures to protect data.
ICO tips for keeping IT systems secure.
You have 72 hours to notify the ICO of a personal data breach.
ICO guidance on breaches.
If you are acting as a data processor, consider the following:
Process personal data only on clear instructions from the controller, documented in a Data Processing Agreement (DPA).
ICO guide to accountability and governance.
You must obtain authorisation from the data controller before engaging another processor.
The ICO has the power to enforce action, such as fines, for non-compliance.
While risks are higher for larger organisations handling complex or sensitive data, smaller businesses should still aim for compliance.
This checklist is not exhaustive. Seek legal advice for more detailed analysis.