What is the Information Commissioner’s Office?
The Information Commissioner’s Office is the UK’s data protection regulator. Essentially the ICO’s responsibility is to ensure that businesses in the UK are compliant with strict data protection rules. They investigate organisations that go against these principles and impose penalties where appropriate.
What is Data Protection?
Almost every service we use involves the collection and analysis of our personal data - from social media companies, to banks, retailers and governments. The General Data Protection Regulation (GDPR) was implemented by the European Union (EU) in 2018 and is designed to give EU citizens more control over their personal data. GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU, which offer goods or services to customers or businesses in the EU to ensure personal data doesn’t fall into the wrong hands and isn’t misused.
What is considered to be personal data?
Personal data includes information which will “identify” an individual. This includes names, national insurance numbers, addresses and even online identifiers (e.g. IP addresses).
What is the Data Protection Act 2018?
GDPR was adopted into UK law through the Data Protection Act 2018. It controls how personal information is used by organisations, businesses or the government. Everyone responsible for using personal data has to follow strict rules called ‘data protection principles.’ They are as follows:
- Fairness and transparency.
- Collected for specified and legitimate purposes.
- Relevant and limited to what is necessary.
- Accurate and, where necessary, kept up to date.
- Personal data must not be kept for longer than you need it.
- Responsibility for what you do with the data.
How does this affect an Ecommerce business?
Your ecommerce business probably processes a lot of personal data. For example:
- Names, shipping addresses and other information that might be used to directly identify individuals.
- Payment card details and sometimes sensitive or revealing information that must be processed securely.
- Technical information like IP addresses and cookies that might be used to indirectly identify individuals.
If you use of the above then you will need to review all of your methods of collection, processing and storage of personal data and potentially implement changes to keep your business compliant.
Here are some next steps you should take
Deactivate any default opt-ins, (i.e. make sure below subscription is unselected): The idea is your customer consents and manually chooses to agree to any terms and conditions and opt-ins to any email subscriptions etc.
Review the personal data you currently store (you probably have a lot in your inbox!) Data erasure is a large part of the GDPR; you should go over your organisation’s email policy with perhaps a goal of deleting emails after a certain period of time.
Do I need to pay the data protection fee?
Any organisation (including limited companies and sole traders) which processes personal data is required to register with the ICO and pay the data protection fee, unless you’re exempt. The ICO provides an online self-assessment tool to help businesses and individuals check whether or not they need to register and pay the fee. You can also call their helpline number in case you need it: 0303 123 1113 ext. 1700
Organisations which have previously registered will receive a reminder annually to pay the data protection fee.
If you sell on an online market place…
· If you only sell via an online marketplace, i.e. Amazon, eBay or Etsy it is the platform that is liable for the data protection fee.
If you sell on your own online store via Shopify, Wix, Braintree etc…·
·You are exempt if you’re only processing personal data for the core business purposes, i.e. staff admin(including payroll), accounts or records (i.e. invoices and payments - the information is restricted to what is necessary for your accounts/records e.g.name, address and credit card details).
·You are exempt if you only advertise, market and/or process information for public relations in connection with ONLY your own business activity – you cannot advertise and market goods and services of other businesses. For this exemption to apply, you must meet all the following criteria:
-The individuals you hold information about are restricted to any person whose personal information you need to process for your own advertising, marketing, or public relations – for example past, existing or present customers or suppliers.
-Your information is restricted to information that is necessary for your advertising, marketing, and public relations – for example, names, addresses and other identifiers.
-You advertise and market your own goods and services.
However, if you sell or trade a list of your customers, you must pay the fee.
If you DO NOT need to pay the fee you must notify the ICO, click here to notify them.
If you use CCTV…
· If you use CCTV on your business premises for the purpose of crime prevention; you would need to pay a fee to the Information Commissioner’s Office.
This shouldn't affect many of the smaller sellers, but we wanted to include this just in case.
How much does it cost?
The cost of your data protection fee depends on your size and revenue. There are three tiers of fees ranging from £40 and £2,900, but for most organisations it will be £40 or £60 a year.
Be aware of scams
The ICO is warning companies to be aware of scams relating to payment of the data protection fee. If you’ve received a letter, text message, email or telephone call from them and want to check that it’s genuine, please search ‘ICO fee’ using your usual search engine. Follow the top results to website links which begin with https://ico.org.uk, and this will bring you to the official website.