You must follow rules on data protection if your business stores or uses personal information.

This applies to information kept on staff, customers and account holders, for example when you:

recruit staff

manage staff records

market your products or services

use CCTV

This could include:

keeping customers’ addresses on file

recording staff working hours

giving delivery information to a delivery company

For information on direct marketing, see marketing and advertising: the law.

Data protection rules

You must make sure the information is kept secure, accurate and up to date.

When you collect someone’s personal data you must tell them who you are and how you’ll use their information, including if it’s being shared with other organisations.

You must also tell them that they have the right to:

see any information you hold about them and correct it if it’s wrong

request their data is deleted

request their data is not used for certain purposes

The main data protection rules are set out in the data protection principles.

What you have to do

You must:

tell the Information Commissioner’s Office ( ICO ) how your business uses personal information

) how your business uses personal information respond to a data protection request, if someone asks to see what information you have about them