Disclaimer: This article provides sources of information that you may find helpful but does not constitute legal advice from us. You are responsible for understanding and implementing plans for your data protection and marketing in line with current legal requirements. If in doubt, seek professional legal advice.
The ICO has produced this brief guide to data protection for small businesses.
- Getting ready for the GDPR (General Data Protection Regulations which come into force on 28th May 2017)
- Data protection – looking after the information you hold
- Data protection self-assessment toolkit
- Data protection guidance for small businesses
- Getting it right: a brief guide to data protection for small businesses (pdf)
- Getting it right: small business checklist (pdf)
- Personal information online: small business checklist (pdf)
- A practical guide to IT security: ideal for the small business (pdf)
- A practical guide to IT security: ideal for the small business (Welsh language) (pdf)
- Training checklist for small and medium-sized organisations (pdf)
- Outsourcing - a guide for small and medium-sized businesses (pdf)
- Collecting information about your customers: small business checklist (pdf)
Registration with the ICO
BSI have also produced a helpful set of resources here.
It is your responsibility to comply with data protection regulations across your business, not just your website. This means you are the data controller and have data protection responsibility.
It is our responsibility as a Software-as-a-service provider to process data captured via your website or hosted application, such as contact forms, CRM records or ecommerce orders. This means we are the data processor and do not have direct responsibility like you do, but nevertheless we work to provide a secure environment and appropriate functionality within the software to help you to comply regarding the use of our systems.
"The DPA’s interpretation of the seventh data protection principle (security) requires that: Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh (security) principle— (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b) take reasonable steps to ensure compliance with those measures." Data Protection Act
Read more about:
Other 3rd Party Data Processors
Your website may be integrated into other 3rd party systems which in turn act as data processors. For example, this could include payment processors on ecommerce sites, such as Sagepay and Paypal. As the data controller you will need to ensure these data processors are suitable to carry out their activities too.
A contract should exist between the data controller and data processor.
"Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless— (a) the processing is carried out under a contract—(i) which is made or evidenced in writing, and (ii) under which the data processor is to act only on instructions from the data controller, and (b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle." Data Protection Act
Providing Further Updates
We are not qualified to give out general advice on implementing the Data Protection Act or GDPR for your business. You should seek a local, qualified practitioner to help you if this is needed. However, we will issue information about the scope and changes to our software that relate to GDPR and data protection on our Freshdesk updates page.