Skip to content
LegalVision UK

How to Handle Personal Data as an E-Commerce Business in England and Wales

Avatar photo

By Edward Carruthers

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

As an e-commerce business, you must handle your customers’ personal data securely. This is the case even if you only work with a few clients. Indeed, after the General Data Protection Regulations (GDPR) came into effect in 2018, businesses in England and Wales faced greater restrictions to protect the information they collect from their customers. Under the GDPR, you can face fines of up to £17.5 million if you mishandle personal information. Therefore, you need to ensure you are correctly handling and storing personal data. This article will provide several tips on how your e-commerce business should handle personal data and stay GDPR compliant. 

What is GDPR Compliance?

The main role of GDPR is to impose greater restrictions on businesses to better safeguard how they use and collect personal data. Indeed, as an e-commerce business, you will find yourself collecting and acquiring a range of information about your customers in the day-to-day operations of your business. This is known as processing data

You must ensure you handle your customers’ information correctly, from home addresses to bank details, to ensure you do not breach GDPR. There are several ways to ensure you are handling personal information correctly.

Register with the Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is responsible for policing data protection regulation in England and Wales. Any organisation that holds or processes personal data must register with the ICO and pay a data protection fee each year. If you are unsure whether you should register with the ICO, you can take their self-assessment questionnaire. By doing this questionnaire, you should be able to determine whether you need to register with the regulator. 

Generally, as an e-commerce business, you will need to register with the ICO if your business collects and uses customer names and shipping addresses. Additionally, collecting customer email addresses and phone numbers will require registration. Moreover, you will need ICO registration if you collect payment details and banking information. Finally, if you collect location data or cookies, you will need to register with the ICO.

A failure to register with the ICO is against the law and can result in fines of up to £4,000. 

Additionally, while many businesses question the need to be registered with the ICO, being registered is a great way for your business to show that you are a reputable organisation that adequately safeguards its customers’ personal information. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Create a Privacy Policy

The next step in handling personal data properly is to create a privacy policy that discloses how you intend to use that information to your customers. Under the GDPR, individuals have rights that your business must respect. Those rights include rights to: 

  • have their personal data erased; 
  • know what you intend to do with their data; and 
  • have their data safely stored.

While businesses are not legally required to have a privacy policy, it is advisable that your e-commerce business has one in place. A privacy policy ensures you correctly disclose how you intend to use and process personal information to members of the public. Therefore, it is wise to draw up a privacy policy to inform your customers: 

  • why you are collecting and processing their data;
  • how you are legally allowed to hold and use their data; 
  • the length of time for which you intend to store their information; 
  • how they can get in touch with you to delete, access or correct that information; and
  • their rights to make a complaint to the ICO if your business is wrongfully using their information. 

Update Your Cybersecurity Practices 

Additionally, as an e-commerce business, you must ensure that you store personal information in a secure, encrypted location. Many data breaches occur when businesses do not take appropriate steps to store their information in safe environments. Therefore, it is vital to store personal information on a backed-up location that is password protected. 

To ensure your storage systems are as secure as possible, you may want to consider doing the following: 

  • regularly change the passwords to access that data; 
  • only give those passwords to trusted employees;
  • enable two-factor authentication on your storage devices and programs;
  • ensure you have the latest antivirus software installed on all devices;
  • do not ignore software updates for your computers; and
  • secure your personal information in a device not connected to the internet. 

Employee Education

Educating your employees on handling personal information is one of the most important ways to help you protect your customer’s data. Your employees are regularly working with personal information. Because of this, they pose some of the biggest data privacy risks that can open your e-commerce business up to various lawsuits if a breach occurs. Fortunately, providing employees with regular training on handling and using customer information can reduce the risk of a breach and help your business stay GDPR compliant. 

Firstly, your training should cover the importance of protecting consumer information. Secondly, the training could cover how to correctly handle and store a person’s information. Finally, you could discuss the importance of not using personal devices to access customer data. 

Key Takeaways

To remain GDPR compliant, e-commerce businesses must handle their customers’ personal information with care. E-commerce businesses can face hefty fines if they do not store information responsibly. So, to handle information correctly, your should register your business with the ICO to regulate your general data storage practices. Secondly, you should draw up a privacy policy and improve your cyber security practices. This ensures the devices you are storing personal information on are securely encrypted and password protected. Finally, it is also advisable to get a lawyer’s advice when drafting a privacy policy or assessing whether your e-commerce business may have any data security issues.

If you need advice on how your business can stay GDPR compliant, our experienced contract lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Is my e-commerce business subject to data protection regulations?

If your business collects and uses customer information in its daily operations, you need to comply with data protection laws. The most prominent law that will apply to your business is known as General Data Protection Regulations (GDPR). 

How often should I update my data privacy policies?

If you have a data privacy policy, you should aim to review and update it at least once each year to ensure it remains current.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Edward Carruthers

Edward Carruthers

Read all articles by Edward

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

What are the Legal Considerations for Setting Up a Shopify Business in England and Wales?

How Does GDPR Affect My Business?

Does My Business Need a Cybersecurity Policy?

Privacy Laws in England and Wales: What are Your Obligations as a Business?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards