Run a compliant information service business

Handle personal data as controller and processor

You are a controller of the personal data you hold for your own purposes — staff, customers and marketing lists. When you process client data on a client's instructions — hosting it, processing it, compiling it — you are usually also a processor, and UK GDPR Article 28 requires a written contract with each controller setting out the processing, your security obligations, and the rules for engaging sub-processors. Map which role you hold for each dataset; your duties differ by role. This applies UK-wide.

UK GDPR lawful bases for processing personal data

The 6 (now 7) lawful bases under UK GDPR Article 6 for processing personal data.

Under UK GDPR Article 6, you must have a valid lawful basis to process personal data. You cannot process personal data without identifying at least one lawful basis that applies to each processing activity.

1. Consent (Article 6(1)(a)): The individual has given clear, specific, informed consent for you to process their personal data for a specific purpose
2. Contract (Article 6(1)(b)): Processing is necessary to fulfil a contract with the individual, or to take steps at their request before entering a contract
3. Legal obligation (Article 6(1)(c)): Processing is necessary to comply with a common law or statutory obligation under UK law
4. Vital interests (Article 6(1)(d)): Processing is necessary to protect someone's life
5. Public task (Article 6(1)(e)): Processing is necessary for performing a task in the public interest or for official functions that have a clear basis in law
6. Legitimate interests (Article 6(1)(f)): Processing is necessary for your legitimate interests or those of a third party, unless overridden by the individual's interests, rights, or freedoms

Consent requirements: Must be freely given, specific, informed, and unambiguous. Must be as easy to withdraw as to give.

Legitimate interests: Requires a documented Legitimate Interest Assessment (LIA) balancing test. Not available to public authorities for their core tasks.

7. Recognised legitimate interests (NEW - from June 2025): Processing necessary for certain pre-approved purposes without requiring a balancing test (Data Use and Access Act 2025)
Recognised purposes include: National/public security, defence, emergencies, crime prevention/detection, safeguarding vulnerable individuals
Effective date: 19 June 2025

Note: Direct marketing and intra-group data sharing still require a Legitimate Interest Assessment even under recognised legitimate interests.

ICO guide to lawful basis

Register with the ICO and pay the data protection fee

Unless a narrow exemption applies, you must register with the Information Commissioner's Office and pay the annual data protection fee — for an information service business, processing personal data is the business, so assume you must register unless you have confirmed otherwise. This applies UK-wide.

Data protection fee: ICO registration

Legal requirement to pay data protection fee to ICO under Data Protection Act 2018.

Under the Data Protection (Charges and Information) Regulations 2018, most organizations that process personal data must pay an annual data protection fee to the Information Commissioner's Office (ICO).

Who must pay

Must pay if your business:

Processes personal information about individuals (customers, employees, suppliers)
Is not covered by a limited exemption

Personal data includes: Names, addresses, email addresses, phone numbers, IP addresses, employee records, customer orders, marketing lists.

Tier 1 fee (most small businesses): £52 per year - Turnover up to £632,000 AND 10 or fewer staff (from Feb 2025)
Tier 2 fee: £78 per year - Turnover up to £36 million AND 250 or fewer staff (from Feb 2025)
Tier 3 fee (large organizations): £3,763 per year - Turnover over £36 million OR over 250 staff (from Feb 2025)
Penalty for non-payment: Up to £4,350 plus the fee owed

When to register

Before you start processing personal data - this means from day one for most businesses. You process personal data if you:

Keep customer records (names, email addresses, order history)
Have employees (employment records, payroll, contact details)
Use suppliers (contact information)
Send marketing emails
Use cookies on your website
Store business contacts in a CRM

Exemptions

Very limited exemptions exist. You're exempt only if you:

Only process personal data for personal or household purposes (not business)
Only process data for accounts, records, and admin required by law (very narrow - consult ICO guidance)
Are an MP, elected representative, or judge (specific exemptions)

Most businesses are NOT exempt - if you have any customer or employee data, you likely need to pay.

Registration process

Self-assess your tier using ICO's online tool
Register online at ico.org.uk
Pay annual fee by Direct Debit or card
Receive registration confirmation - Your registration appears on ICO's public register
Renew annually - ICO will remind you when renewal is due

Renewal: Annual - ICO sends renewal reminder before expiry
Public register: Your registration is publicly searchable on ICO website
Direct Debit discount: £5 discount if paying by Direct Debit

Pay the data protection fee

Follow the electronic marketing and cookie rules

If your service sets cookies or similar tracking technologies, or you market by email, SMS or telephone, you must follow the Privacy and Electronic Communications Regulations (PECR), whose consent rules sit alongside and are stricter than the UK GDPR alone. For portals and hosted services that rely on analytics and advertising cookies this is day-one compliance work. Enforced by the ICO; applies UK-wide.

Privacy and Electronic Communications Regulations (PECR)

PECR governs electronic marketing, cookies, and similar technologies. Tech businesses must comply with rules on cookies, marketing emails, texts, and automated calls. PECR works alongside UK GDPR.

Cookie and tracking technology rules

You must:

Tell users about cookies and similar technologies (JavaScript, pixels, fingerprinting)
Get consent before setting non-essential cookies
Provide clear information about what each cookie does
Allow users to withdraw consent easily

Exceptions: Strictly necessary cookies (authentication, security, load balancing) do not require consent but must be disclosed.

Email and text marketing rules

To individuals:

Get consent before sending marketing (opt-in)
Soft opt-in allowed if you collected contact details during a sale and are marketing similar products
Provide clear opt-out in every message
Include your identity and valid contact details

To businesses (B2B):

Emails: Can market without consent but must allow opt-out
Texts and automated calls: Need consent

Location data and traffic data

Processing location data requires consent unless for network security. Traffic data (connection metadata) has specific retention and security requirements.

Step 1: Audit your website/app for all cookies and tracking technologies
Step 2: Implement a compliant cookie consent banner with granular controls
Step 3: Create a detailed cookie policy explaining each technology
Step 4: For marketing emails, maintain clear opt-in records and honour opt-outs immediately
Step 5: Include your business name and physical address in all marketing emails
Step 6: For SMS marketing, only contact individuals who have opted in
Step 7: Review third-party tools (analytics, advertising, CRM) for compliance
Step 8: Ensure consent mechanisms work on all devices and browsers
Step 9: Document your PECR compliance measures

ICO guidance on PECR

Insure your employees

If you employ anyone — developers, operations staff, journalists or researchers — you must hold employers' liability insurance of at least £5 million from an authorised insurer. This is a duty in Great Britain; equivalent rules apply in Northern Ireland.

Employers' Liability Insurance Requirements

Legally required insurance for businesses that employ staff

Legal requirement: LEGALLY REQUIRED if you employ anyone (even part-time or family members working for you)
Minimum cover: £5 million minimum (most policies provide £10 million)
Penalty for non-compliance: £2,500 fine per day without insurance, plus £1,000 fine for not displaying certificate
What it covers: Compensation claims from employees injured or made ill at work
Exemption: Close family businesses may be exempt

Employers' Liability Insurance

Keep your workplace safe

You owe a general duty to protect employees and others affected by the business — offices, server rooms and data centres included. The Health and Safety at Work etc. Act 1974 applies in Great Britain; Northern Ireland has its own corresponding health and safety order.

Health and Safety at Work etc. Act 1974 (HASAWA)

The Health and Safety at Work etc. Act 1974 - primary UK workplace health and safety legislation establishing employer and employee duties. Pure data reference.

The Health and Safety at Work etc. Act 1974 (HASAWA 1974) is the primary legislation governing workplace health and safety in the United Kingdom. It establishes the legal framework for protecting the health, safety and welfare of people at work and those affected by work activities.

Legal status: Primary legislation - principal UK health and safety statute
Royal Assent: 31 July 1974
Came into force: 1 April 1975 (in stages)
Geographic scope: Great Britain (separate legislation applies in Northern Ireland)
Applies to: All employers, employees, self-employed persons, and those who control work premises
Primary duty (Section 2): Employers must ensure, so far as is reasonably practicable, the health, safety and welfare at work of all employees
Duty to non-employees (Section 3): Employers must protect persons not in their employment (contractors, visitors, public) who may be affected by work activities
Employee duties (Sections 7-8): Employees must take reasonable care for their own health and safety and that of others, cooperate with employers, and not misuse safety equipment
Enforcement authority: Health and Safety Executive (HSE) and local authorities
Maximum penalties (post-2008 amendments): Unlimited fines in Crown Court; imprisonment up to 2 years for individuals; up to 6 months and/or £20,000 fine in Magistrates' Court
Referenced by regulators: Cited in 31 regulatory documents in the ORDS (Office for Regulatory Delivery and Simplification) dataset
Secondary regulations: Enables creation of health and safety regulations (e.g. Management of Health and Safety at Work Regulations 1999, COSHH, Manual Handling)

Reasonably practicable: The Act uses the term "so far as is reasonably practicable" throughout. This means employers must balance the level of risk against the time, trouble and cost of controlling it. However, the law is weighted in favour of health and safety - employers must demonstrate that control measures would be grossly disproportionate to the risk before they can be considered not reasonably practicable.

Self-employed persons: The Act also places duties on self-employed persons to protect their own health and safety and that of others who may be affected by their work activities.

Health and Safety at Work etc. Act 1974 (legislation.gov.uk)

HSE - Health and Safety at Work etc. Act 1974 guidance

Keep your premises fire-safe

The responsible person for non-domestic premises — offices, server rooms and data centres — must carry out and maintain a fire risk assessment. This is devolved: the Regulatory Reform (Fire Safety) Order 2005 covers England and Wales, with the Fire (Scotland) Act 2005 in Scotland and the Fire and Rescue Services (Northern Ireland) Order 2006 in Northern Ireland.

Regulatory Reform (Fire Safety) Order 2005

The 'responsible person' (employer, owner or occupier) must carry out a fire risk assessment for any non-domestic premises and implement appropriate fire safety measures. This applies to all hospitality premises including hotels, restaurants, pubs and nightclubs.

Who is the responsible person?

The responsible person is the employer, owner, landlord, occupier, or anyone with control of the premises. In hospitality, this is typically the business owner or manager.

Fire risk assessment

The responsible person must carry out and regularly review a fire risk assessment covering:

Identification of fire hazards (ignition sources, fuel, oxygen)
Identification of people at risk (employees, customers, vulnerable persons)
Evaluation and reduction of risks
Recording findings and fire safety plan (if 5+ employees)
Regular review and updates

Fire safety measures

Based on the risk assessment, implement appropriate measures including:

Fire detection and warning systems (smoke alarms, fire alarm panels)
Fire-fighting equipment (extinguishers, fire blankets)
Emergency escape routes and lighting
Fire safety signs and notices
Fire doors kept clear and free to close
Staff training on fire procedures
Emergency evacuation plan and drills

Fire Safety Act 2021 (from January 2022)

For buildings containing two or more sets of domestic premises (e.g. hotels, aparthotels), the responsible person must now assess fire risks in external walls, entrance doors to flats, and windows.

Step 1: Appoint a competent person to conduct fire risk assessment (may be yourself if trained)
Step 2: Complete fire risk assessment identifying hazards and persons at risk
Step 3: Implement control measures to reduce fire risk
Step 4: Ensure fire detection systems are installed and maintained
Step 5: Provide adequate fire-fighting equipment (extinguishers) and arrange annual servicing
Step 6: Establish clear evacuation routes with emergency lighting and signage
Step 7: Designate assembly point and ensure staff know evacuation procedures
Step 8: Train all staff on fire safety procedures during induction
Step 9: Conduct regular fire drills (at least annually)
Step 10: Record fire risk assessment findings if you employ 5 or more people
Step 11: Review fire risk assessment annually or after significant changes

Fire safety risk assessment guidance

Do not discriminate

You must not discriminate against employees or in services to the public because of a protected characteristic — and for an information service that includes the accessibility of your customer-facing digital services. The Equality Act 2010 applies in England, Scotland and Wales; Northern Ireland has its own equality law enforced by the Equality Commission for Northern Ireland.

Next steps

With the shared duties in place, follow the rules for your kind of information service:

Data processing, hosting and web portal rules — NIS security duties and Online Safety Act scope
Rules for news agencies and information services — copyright, press standards, media monitoring

Then confirm everything with the information services compliance checklist.

Run a compliant information service business

Set up and run a safe management consultancy

Management consultancy: compliance checklist

Office and business support compliance checklist

Advertising and market research compliance checklist

Telecommunications compliance checklist

Handle personal data as controller and processor

Register with the ICO and pay the data protection fee

Follow the electronic marketing and cookie rules

Insure your employees

Keep your workplace safe

Keep your premises fire-safe

Do not discriminate

Next steps

Related guides in Digital & Technology

Handle personal data as controller and processor

Register with the ICO and pay the data protection fee

Follow the electronic marketing and cookie rules

Insure your employees

Keep your workplace safe

Keep your premises fire-safe

Do not discriminate

Next steps