Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

This guide is designed to make data protection more accessible for beginners and to provide small organisations with basic steps and tips.


Keeping people’s personal data safe is key to getting them to trust the service you offer and, ultimately, your business. If you’ve not come across data protection law or the UK GDPR before, you may want to read our blog on the benefits of data protection laws before getting started.

Whether you have staff or trade by yourself, you’re responsible for protecting the personal data of (or information about) anyone who comes into contact with you – including your customers, suppliers and staff.

There’s no one-size-fits-all when it comes to giving data protection advice. Your business is unique and how you deal with personal data will be, too. You know your business best and this will help you decide what you do with the personal data you hold.  

Make a list

You’ll probably have personal data saved on your phone, tablet or computer to enable you to do your job – such as the names and contact details of customers, members or clients. You may also have details of upcoming bookings or appointments, or other notes. If you can identify someone personally from something you have stored, then it’s personal data and you need to account for it.

Start off by making a list of what personal data you have, or plan to collect, even if you don’t have much at first. For this list, you should be generalising types of information such as ‘phone numbers of customers’, rather than listing actual phone numbers.

Data protection laws don’t apply when you’re using personal data for purely personal or household activity, so you can ignore things like your family photo album and personal holiday planning calendar.

Ask ‘why’

There’s a balance to be made between what you want to do with people’s personal data, the benefits that brings to them or to society as a whole, and any harm that might be caused as a result.

If you’re holding or using people’s personal data, it must always be fair as well as lawful. This means you should only use their data in ways they’d reasonably expect. For example, if you’ve got their data through means that are deceitful or misleading, then everything you do after that (whether you think it’s lawful or not) is unlikely to be fair.

You also need a valid reason or ‘lawful basis’. There are six types of lawful basis you can use. Use our lawful basis checker to find out which you can rely on and keep a record of your decision.

Think security

Check your security measures line up with the sensitivity of the data you hold. Put stronger security measures in place if the data poses a higher risk or is sensitive.

The measures you choose are up to you but could include things like locking filing cabinets and putting strong passwords on your devices.

Be transparent

To build trust it’s essential to explain to people why you hold their data, what you'll do with it, and how long you'll keep it before getting rid of it.

For example, if you’re a plumber, you might want to explain that you’ll only keep your customers’ details while your own guarantee lasts, and that you’ll need to share their details with the manufacturer if they also want the manufacturer’s guarantee.

You should also record this information in a document, describing your approach to data protection. This is known as a privacy notice. 

You have to have a privacy notice before you collect any information from anyone. Use our privacy notice template and make sure you include everything you need to.

Know about subject access requests

By law, people have the right to know what personal information you hold about them. There are other rights, too, but one of the most commonly asked questions is how to deal with a request for this personal data, which is known as a subject access request (SAR). 

Use our guide on how to deal with a request for information or subject access request.

Know what to do if the worst happens

If you lose personal data – such as in a cyber-attack, flood, fire or theft – it could be a potential personal data breach. If it’s likely to result in a risk to the people affected, you'll need to report it to us. We’re here to help.

Check out our guide on how to respond to a personal data breach so you know what steps to take in an emergency.

Set some reminders

Data protection compliance is a journey. Our website is updated regularly to help you take simple steps towards improving your data compliance. Setting regular reminders to check our news and advice pages could be a great way to start.