Data protection, or data privacy, is concerned with the protection of individuals' personal data, and how it is 'processed' - that is, how it is collected, stored, used and shared with others.
Running any business, whether or not online, will almost inevitably mean obtaining personal data of customers, and using it to process orders, deliveries, payment and so on, and possibly storing and analysing this data or sharing it with business partners or other suppliers in order to run your business and meet customer requirements. It is not just customers you need to think about - this could be the personal data you collect or use of any person, including employees, medial patients and so on.
There is data protection legislation your business will need to comply with when 'processing' this data, the highest profile being the 2018 EU General Data Protection Regulation. In the UK, the 2018 Data Protection Act imposes effectively the same compliance standard.
This legislation requires you to obtain individuals' consent, or to be clear on the lawful reason you have, for processing their personal data. It gives individuals broad rights in relation to the personal data you hold, amongst other things to access the data, to delete it, to remove their consent to your processing of it, and to lodge a complaint to the relevant data authority.
'Personal data' means any data that can be used, on its own or in combination with any other data, to identify an individual person: this could be name, phone number, email or postal address, photos, bank account details, computer IP address and so on. There are even more stringent requirements to comply with when processing 'special categories' of personal data - sensitive data about someone's age, race, gender, religion, sexuality, political views, trade union membership or biometric, genetic or health data.
Large fines could be imposed on the 'data controller' (person or company deciding how personal data will be processed) for failing to comply with data protection regulatory requirements, and perhaps allowing a 'data breach' (allowing the accidental or unlawful loss, alteration or unauthorised disclosure of someone's personal data): up to 4% of your global annual turnover. You need to take this seriously.
DATA PROTECTION POLICY
You will need to create a data protection policy for your business - one that is clearly accessible for people to read on your website or in your office, and importantly one that you implement and comply with at all times. This means making sure you have appropriate consent from data subjects, or are clear on the legitimate reason you have, for collecting, storing and processing their personal data. You should really seek legal advice to get this right.
Your policy needs to be clear on the following elements for all customers, employees or anyone else whose personal data you will handle:
how to Comply
Creating a data protection policy is necessary, but not enough on its own to be GDPR compliant. In addition:
Check before launching that you can comply with your own policy, with all the necessary processes in place.
Check whether you need to register as a 'data controller' at the Information Commissioner's Office (ICO). If in doubt, do so (the cost is low).
If you will be carrying out any systematic processing of personal data, or handling special categories of personal data on a large scale, carry out an 'impact assessment' of the risk to relevant individuals.
Appoint a Data Protection Officer (notified to the ICO) if in a similar situation to that requiring an impact assessment. Even if not needed, it is recommended to appoint one team member to be responsible for data protection for your business.
Use 'cookies' (small files that help your website to 'remember' customer details) carefully, ensure you have a legal reason to use them, or seeking express consent from website users.
Respond within one month to 'subject access requests' from individuals asking to access, edit or delete records of particular personal data, or objecting to any particular use.
Ensure you have processes to detect, investigate and report 'data breaches' (breaches of security leading to the destruction, loss, alteration or unauthorised disclosure of personal data, even if accidental or not caused by you). You need to report to the ICO within 72 hours if the breach is likely to risk affecting the individual's rights and freedoms, and if the risk is high, you need to tell the individual as soon as you can ('without undue delay').