Data Protection for Ecommerce: Personal Data
In our previous blog article we looked at data protection and website cookies. In this article we look at what the law says about protecting personal data and highlight a couple of areas especially relevant to e-commerce websites.
The Data Protection Act 1998
If your website collects personal data then you have legal obligations under the Data Protection Act 1998 (DPA). There are things you must do in order to comply. Even if your website only collects an email address for a newsletter, or a name and phone number for a callback the DPA still applies. It applies to sole traders, charitable organisations, major retailers and everyone in between.
For the purposes of the DPA ‘personal data’ is data about a living individual. There are nuances to the definition, but for most e-commerce websites the data visitors provide in order to:
- create an online account,
- order/pay for your products and
- sign up for newsletters or offers
will fall into the definition of ‘personal data’.
Registering as a Data Controller
If you collect and store any form of personal data from website visitors then you must register as a Data Controller with the Information Commissioner’s Office (ICO). There are some exemptions but they are very specific and unlikely to apply to an e-commerce website.
Data Protection Principles
So, now you’ve registered, what next? Well, registration is the first of your legal obligations. There are a range of other responsibilities that will affect how you subsequently handle the data you collect. These responsibilities are set out as the 8 data protection principles:
- personal data should be processed fairly and lawfully
- it should only be used for the purposes it was collected
- the data collected should be adequate, relevant and not excessive
- data should be accurate and kept up-to-date
- personal data should not be kept for longer than necessary
- observe the rights of the data subject
- you need to have adequate systems and processes in place to protect the data
- personal data shouldn’t be transferred out of the EEA unless adequate safeguards to protect the data are in place.
Full details of each of these principles, along with examples, are given on the ICO website and well worth a read. Points 6 and 8, in particular, raise some interesting issues that may affect your online business and/or website design.
Observing the rights of the data subject (principle 6)
A data subject (i.e. a person whose personal data you are holding) has a number of ‘rights’ that they can exercise, including:
Making a Subject Access Request
A data subject has the right to see a copy of the personal data you hold about them. There are some exemptions but, by and large, you need to comply within 40 days of the request. You, as a data controller, need to be able to identify when such a request has been made (there’s no official form) and respond appropriately.
Opting out of direct marketing
An individual can opt out of direct marketing. The DPA gives general rights to opt-out of direct marketing in all forms. The Privacy and Electronic Communications (EC Directive) Regulations 2003 also applies if you send out marketing emails, texts or telephone calls.
While the DPA grants a right to opt-out, the Privacy and Electronic Communications Regulations goes further and requires (in most cases) a clear opt-in before you can send e-marketing material to someone in your database. At the very least, if you want to send marketing emails (including newsletters), you will need to have a clear opt-in process on your website. And this does have to be a clear opt-in: not a pre-selected ‘send me marketing stuff’ checkbox.
Don’t transfer data outside the EEA without adequate safeguards (principle 8)
This is where it starts to get a bit … complicated. If your website is hosted in the EU and you don’t send any person data anywhere else then principle 8 will not cause you any concern.
Transferring data within the EEA
Many e-commerce sites these days, however, make use of sophisticated email marketing services (e.g. MailChimp), voucher and incentive programs (e.g. Referralcandy) and other 3rd party services. You typically need to provide some of your customers’ personal data to the 3rd party to use their service.
If the service provider’s servers (where the data will be held) are a country in the EEA (European Economic Area) then there are no restrictions on transferring data. You must, of course, still satisfy the other data protection principles.
The EU publishes a list of other countries that are judged to offer adequate safeguards. These countries are currently on the list:
- Faroe Islands
- Isle of Man
- New Zealand
So, you can also transfer data to the above countries without any additional restrictions.
Transferring personal data to other countries
Some of the services your website uses might be based in the USA. As you can see, the USA is not on the EU’s list of countries deemed to have adequate safeguards in place.
The question of legal protection for data transferred to the USA is a bit of a ‘hot’ topic just now and quite political (if you’re into that kind of thing). As a high level summary, glossing over many nuances and details, you are likely to be able to transfer personal data to the USA if:
- the organisation you are sending the data to is part of the Privacy Shield Scheme, or
- adequate protection can be provided by incorporating specific legal clauses (e.g. EU Model Clauses) into the contract between you and the 3rd party supplier.
(There are a number of other exceptions but they are less likely to be of use to a SME e-commerce website.)
Mailchimp (our favourite example) is part of the Privacy Shield Scheme and also incorporates Model Clauses into its data processing agreement. If you visit their website you will see that there is specific information about data privacy and protection for EU companies. That’s the kind of thing you’re looking for to comply with principle 8 of the DPA.
Model Clauses and other contractual arrangements can also be used with other countries to safeguard the transfer of personal data.
There’s a possibility that the legality of the Model Clauses approach could be challenged in the EU courts in near future. For now, however, the guidance from the ICO is that businesses can rely on the standard clauses to provide adequate safeguards.
If the company you want to use is:
- not an EEA or otherwise ‘approved’ country,
- not part of the USA Privacy Shield scheme, and
- doesn’t offer suitable contractual arrangements
then you have the option to assess the adequacy yourself. If you want to go down this route then the guides on the ICO website are a good place to start. It could end up being a lengthy process requiring legal guidance.
What happens if I don’t comply?
The ICO have a wide range of ‘tools’ at their disposal to penalise and educate people and organisations who breach the DPA. Actions can include:
- non-criminal enforcement
- criminal prosecution
- fines of up to £500,000
The ICO also publish details of what actions they have taken on their website – so there’s an element of ‘name and shame’ as well. There is an online-form that anyone can use to submit a complaint – so you shouldn’t assume that the ICO only goes after ‘big fish’.
Where to go for more information
The ICO is the authority on interpreting the Data Protection Act in the UK. Their website provides a wide range of factsheets, guides, tools, blog articles and checklists to help businesses meet their obligations under the DPA.