Research commissioned by the ICO shows SMEs are less aware of the principles of the Data Protection Act than their larger peers.
Researchers found that although just more than half of SMEs realised they had to keep customer data secure, just 22% of the 800-plus SMEs surveyed were aware that they are required to keep customer information accurate and up to date under the act.
This is despite the fact that 94% of the companies surveyed believed that the act makes good business sense.
With identity theft on the rise, information commissioner, Richard Thomas, said the findings were of "considerable concern".
All businesses must now take their responsibility to protect personal information seriously, he said.