Technology & Digital

IT and programming business: compliance checklist

Use this checklist to confirm your IT, programming or consultancy business (SIC division 62) meets its obligations. Work through the universal workplace items every employer shares, then the data protection and NIS items that bite harder in this sector. If you answer no to any item, follow the linked guide before you proceed.

UK-wide
On this page
UK-wide

Related guides in Digital & Technology

Software licensing compliance

Understand your legal obligations when using, developing, or distributing software - including open source licensing, commercial agreements, and …

Use this checklist to confirm your IT, programming or consultancy business meets its obligations. Work through each item and answer yes or no. If you answer no, follow the linked guide before you proceed.

Workplace health and safety is enforced by the Health and Safety Executive in Great Britain and by HSENI in Northern Ireland. Data protection is enforced UK-wide by the Information Commissioner's Office (ICO). Each section names the body that applies.

Section 1 — Workplace and employment duties

These duties apply to every employer. Confirm each one.

  1. 1

    Have you carried out your health and safety risk assessments?

    Your general duty under the Health and Safety at Work etc. Act 1974 is to ensure, so far as is reasonably practicable, the health, safety and welfare of your people. Risk-assess display screen equipment workstations, stress and mental health, and lone working, and put safe systems of work in place. If not, follow "Set up and run a safe IT and programming business".

  2. 2

    Have you carried out your fire risk assessment?

    The responsible person must carry out a fire risk assessment and maintain fire-safety arrangements under the Regulatory Reform (Fire Safety) Order 2005 in England and Wales, the Fire (Scotland) Act 2005 in Scotland, or the Fire and Rescue Services (Northern Ireland) Order 2006 in Northern Ireland.

  3. 3

    Do you hold employers' liability insurance?

    You must hold at least £5 million of employers' liability compulsory insurance once you employ anyone, and display or make available the certificate.

  4. 4

    Do you meet your equality and data protection duties?

    Do not discriminate under the Equality Act 2010 (or separate NI equality law enforced by the ECNI). Comply with the UK GDPR and Data Protection Act 2018, and register with the ICO unless you are exempt.

Section 2 — Data protection and NIS duties

IT businesses carry these duties more heavily than most. Confirm each one.

  1. 1

    If you process personal data on behalf of clients, do you have data processing agreements in place?

    As a data processor under the UK GDPR, you must have a written contract with each controller setting out the subject matter and duration of processing, the nature and purpose, the types of personal data and categories of data subject, and the controller's obligations and rights. The ICO enforces UK-wide.

  2. 2

    If you provide a relevant digital service, have you registered with the ICO as a relevant digital service provider?

    If you provide an online marketplace, online search engine or cloud computing service and you are not a micro or small enterprise, the Network and Information Systems Regulations 2018 require you to take appropriate and proportionate technical and organisational measures to manage the risks to your network and information systems, notify the ICO of significant incidents, and register. This applies UK-wide.

If you answered no to anything

Work through the guide linked in that item before you proceed. The spine — Set up and run a safe IT and programming business — sets out what to do. Start from the router if you are not sure which duties apply to you.

Official sources

Authoritative health and safety, data protection and NIS guidance.