Must Read Additional Helpful ICO Guidance & Information

The Information Commissioner's Office (ICO) provide organisations of all types, with a vast amount of very helpful guidance documents and information, that are directly or indirectly related to the Data Protection Act and other sub regulatory frameworks. This more often than not includes Third Sector Organisation's, unless you are advised by the ICO as being exempt.

Please do make use of the below resources from the ICO, as overall whilst admittedly, becoming compliant is not a simple 5 minute job; it is one of those life activities, that you get from it what you put in and most certainly should NOT be ignored.

A Data Protection for SME's Toolkit

"If you hold or use personal information about your clients, employees or other people, you are legally obliged to protect that information. This toolkit helps you with what you need to know, and do.

Under the Data Protection Act 1998 (DPA) you must:

  • use personal information fairly and lawfully;
  • collect only the information necessary for a specific purpose(s);
  • ensure it is relevant, accurate and up to date;
  • only hold as much as you need, and only for as long as you need it;
  • allow the subject of the information to see it on request; and
  • keep it secure.

Good information handling makes good business sense, and provides a range of benefits. You'll enhance your business' reputation, increase customer and employee confidence, and by ensuring that personal information is accurate, relevant and safe, save both time and money.

This toolkit should help you evaluate and improve your compliance with the DPA."

A Practical Guide to IT Security

"Keeping your IT systems safe and secure can be a complex task and does require time, resource and specialist knowledge. If you have personal data within your IT system you need to recognise that it may be at risk and take appropriate technical measures to secure it. The measures you put in place should fit the needs of your particular business. They don’t necessarily have to be expensive or onerous. The following practical steps will help you decide how to manage the security of the personal data you hold."

Guidance on Data Security Breach Management

“This guidance sets out some of the things an organisation needs to consider in the event of a security breach. It is not intended as legal advice, nor is it a comprehensive guide to information security. It should, however, assist organisations in deciding on an appropriate course of action if a breach occurs."

Overview of the General Data Protection Regulation (GDPR)

“This overview highlights the key themes of the General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements.”

Guide to Privacy & Electronic Communications Regulations (PECR)

“This guide is for organisations that wish to send electronic marketing messages (by phone, fax, email or text), use cookies, or provide electronic communication services to the public.”

Guidance on Bring Your Own Devices (BYOD)

“This guidance explains to data controllers what they need to consider when permitting the use of personal devices to process personal data for which they are responsible for.”

Guidance on Encryption

“This guidance explores use of encryption through a range of practical scenarios to highlight when and where different encryption strategies can help provide a greater level of protection.”

Personal Information Online Small Business Checklist

“This checklist will help small and medium sized businesses that operate online to make sure they collect and use Information about the people they deal with properly. This checklist applies to information such as customers’ names and email addresses, or records of their purchases or enquiries. It also applies to information collected through the use of a ‘cookie’, for example where this is used to target marketing at people".

IT Asset Disposal for Organisations

“This guidance explains to data controllers what they need to consider when disposing of electronic equipment that may contain personal data. It means you must have appropriate security in place to prevent the personal data you hold from being accidently or deliberately compromised. This is relevant in the IT asset destruction and recycling processes."

FREE Advisory Visits by the ICO

They also offer FREE Advisory Visits but there are caveats to this. However, it's definitely still well worth considering applying for one, to see if your business is eligible and to gain their wealth of knowledge, guidance and support to becoming fully Data Protection Act compliant.

Privacy Seals

“A privacy seal is a ‘stamp of approval’ which demonstrates good privacy practice and high data protection compliance standards. It will work much like the British Standard Institute’s Kitemark symbol, which is displayed on numerous products and services within the UK to demonstrate quality and high standards.”

What Next?

Please now go to the following IS Know How What Is The Data Protection Act? page and read through the ICO's information that we're reiterating for this and your benefit.

Charitable & Voluntary Data Security Incident Trends

You may also be interested to read the statistics that IS Know How have extrapolated from the ICO's Data Security Incident Trends and and specifically for 'Charitable & Voluntary', that they provide for "Data security incidents (breaches of the seventh data protection principle and personal data breaches reported under the Privacy and Electronic Communications Regulations)"


ISKH is in no way affiliated with, or working on behalf of the Information Commissioners Office. ISKH is quite simply putting forward the importance of compliance to our target audience(s). Also to support the ICO's drive to show that Data Protection Act compliance, has a positive impact on a business or organisations Cyber / Data Security Positioning. Any externally linked ICO content in the ISKH website, including PDF documents or video media, is offered for information purposes only, as is.