The ICO exists to empower you through information.

This blog has been written to help sole traders, small organisations, and SMEs understand some of the most common data protection mistakes that can happen – and simple steps that can help put things right.

Whether you’re just getting started or you’ve been at this a while, the more you learn about data protection and what you should be doing to comply with the law, the more likely you are to notice when things don’t go to plan.

We’re here to help. That’s why we’ve put together some of the most common data protection mistakes that organisations tell us about on a daily basis – and how to fix them. 

If you need more advice, you can get help and support from our dedicated team.

Sending an email to the wrong person

This is easy to do, especially if more than one person in your address book has the same name.

Tools like Autofill predict who you’re emailing when you start typing someone’s name in the ‘To’ field. It’s a quick way to go through your address book. But the few seconds you save by using Autofill could end up costing you a lot more if you send personal data to the wrong person by mistake.

arrow pointing right Fix it

Act quickly. Try to recall the email as soon as possible. If you can’t recall it, contact the person who received it and ask them to delete it. In the future, consider turning off the Autofill tool when sending work emails.

The 72 hours following a personal data breach are particularly critical. We’ve set out the steps you need to follow in this handy guide on how to respond to a personal data breach.

Putting service messages in the same boat as marketing

Service messages aren’t the same as marketing messages. Service messages aim to keep people informed by providing important factual information, such as a warning about the safety of a product. Marketing messages, on the other hand, aim to promote a service, business or organisation.

Generally speaking, you should consider them separately. While you can’t always legally contact people for marketing purposes, you can contact them to tell them things they need to know as part of the service you’re providing, or that would help keep them safe.

arrow pointing right Fix it

Try to think of data protection as a set of principles, rather than a definitive list of what you can and can’t do.

Make sure you know the rules around marketing messages before you collect and use people’s information in this way – whether that’s a product, a service or an idea. You also need to be careful not to combine service and marketing messages. Even if you put a service message at the end of a sales email, you’ll still need to follow the marketing rules.

Letting your ICO registration expire

If you have or use information about people, also known as processing, you may have to register with the ICO and pay a fee.

Data protection fees are due to be paid every year. If you need to pay – and don’t – you could be fined. Most small organisations will only need to pay £40 or £60 a year.

arrow pointing right Fix it

Check if you need to pay. If you’ve already registered and paid, you’ll receive a certificate from the ICO which will include your renewal date. It’s a good idea to either set up a Direct Debit, or set a reminder one month before your annual fee is due so that you can pay it on time.

Opening unfamiliar web links or attachments

Occasionally, you may get emails from people you don’t know, or receive suspicious-looking links and attachments. Sometimes, these can be phishing emails or attempts at other types of cyber crime which can harm your computer and systems.

arrow pointing right Fix it

You need:

  • suitable firewalls for all work devices;
  • storage systems that are fit for purpose; and
  • trained staff that know how to spot suspicious emails before clicking on links or opening attachments.

For more information on how to secure your data, the NCSC has a suite of helpful resources.

Keeping things you don’t need, ‘just in case’

The more personal data you hold, the more storage space and security measures you need to keep it safe – which will cost you time, as well as money. For example, it’ll take you longer to deal with a request for information if you need to search through thousands of old documents, rather than a few hundred current ones. In addition, data protection legislation says that personal information shouldn’t be kept for longer than you need it.

arrow pointing right Fix it

Have a reason to keep information, rather than a reason to get rid of it. If you’re required to keep information for a certain length of time, such as financial, medical or legal records, record your reasons in a retention policy. This is a document that sets out your approach to how you manage, store and delete records. You should sort through your data on regular basis and destroy personal data securely when you no longer need it.

Ignoring a subject access request (SAR) because you don’t know what it is, or it wasn’t emailed to you

In data protection law, people have a ‘right of access’ to their own personal information. This means they can request any personal information that you may hold about them, known as a subject access request (SAR).

SARs can be made verbally or in writing. They don’t have to be directed to a specific contact in your organisation, or made using particular language or with reference to data protection legislation. You can’t require people to make a request in writing or ask them to use a specific form. If you receive a verbal request, you can invite people to follow up in writing, only if they want to. Having a written record of a SAR can be helpful for both parties, particularly if they made their request over the phone and you need to clarify a few points. But whether or not you make a written note of their request or they follow up in writing, their verbal request still stands. For example, an employee could ask for their personal information during a disciplinary meeting – this would count as a SAR.

arrow pointing right Fix it

Make sure you and your staff understand how to recognise a subject access request and what to do if you receive one. In brief, it’s a subject access request if a person asks for information you hold about them, and you need to supply them with a copy of their personal information within set timeframes.