Disclaimer: This article provides sources of information that you may find helpful but does not constitute legal advice from us. You are responsible for understanding and implementing plans for your data protection and marketing in line with current legal requirements. If in doubt, seek professional legal advice.

The ICO has produced this brief guide to data protection for small businesses.

It covers:

BSI have also produced a helpful set of resources here.

Your Responsibilities

It is your responsibility to comply with data protection regulations across your business, not just your website. This means you are the data controller and have data protection responsibility.

Our Responsibilities

It is our responsibility as a Software-as-a-service provider to process data captured via your website or hosted application, such as contact forms, CRM records or ecommerce orders. This means we are the data processor and do not have direct responsibility like you do, but nevertheless we work to provide a secure environment and appropriate functionality within the software to help you to comply regarding the use of our systems.

"The DPA’s interpretation of the seventh data protection principle (security) requires that: Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh (security) principle— (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b) take reasonable steps to ensure compliance with those measures."  Data Protection Act

Read more about: 

Difference between data controllers and data processors

Cloud and Software-as-a-service providers and data protection

Other 3rd Party Data Processors

Your website may be integrated into other 3rd party systems which in turn act as data processors. For example, this could include payment processors on ecommerce sites, such as Sagepay and Paypal. As the data controller you will need to ensure these data processors are suitable to carry out their activities too.


A contract should exist between the data controller and data processor. 

"Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless— (a) the processing is carried out under a contract—(i) which is made or evidenced in writing, and (ii) under which the data processor is to act only on instructions from the data controller, and (b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle." Data Protection Act

Providing Further Updates

We are not qualified to give out general advice on implementing the Data Protection Act or GDPR for your business. You should seek a local, qualified practitioner to help you if this is needed. However, we will issue information about the scope and changes to our software that relate to GDPR and data protection on our Freshdesk updates page.

Disclaimer - take independent advice - click to read more