Options When an Online Business Supplier Breaches Data Protection Rules in the UK

Online businesses like you have to comply with many different rules when carrying out the day-to-day work of your eCommerce brand. One of these is data protection rules if you store and process personal data. However, there may be situations where you, as an eCommerce business and data controller, pass personal information to another online business as the supplier or processor of that personal data. 

For example, your online business may have customers’ personal details to deliver their goods. However, you may use another online business to deliver their goods for you. In that case, you will pass them the personal data. This article will explain what you can do if your online business supplier breaches data protection rules. It is essential to understand this, as data protection breaches can result in penalties such as hefty fines.

What are Data Protection Rules?

As an online business, you may come across personal data. For example, your online customers may give you personal details such as their date of birth for you to allow them to sign up for your online rewards scheme. If so, your eCommerce business must comply with the Data Protection Act 2018, which is how the UK implemented the General Data Protection Regulation (GDPR).

The Data Protection Act 2018 requires your online business to follow ‘data protection principles’. These include:

• using data lawfully, fairly and transparently;
• ensuring that the data you use is for the exact purposes you specify;
• using data only as necessary, adequate and relevant;
• that you keep data up to date and ensure it is accurate;
• that you do not hold onto data longer than needed, and
• that you handle data with the right level of security. 

What is a Data Protection Breach for Online Businesses?

A data protection breach for an online business like you is where a breach of security means that personal data which you either:

• process;
• store; or 
• transmit

Has accidentally or unlawfully been:

• destroyed;
• lost;
• altered;
• disclosed without authorisation; or
• accessed.

What Can I Do if My Online Business Supplier Breaches Data Protection Rules?

As an eCommerce business, using another online business for a service makes you the controller of this data, which you pass to them as a supplier or processor. Your eCommerce business controls the data because you decide what data the other online business needs to process. The supplier or processor will follow your instructions. 

You expect the processor or supplier to act responsibly with the data and ensure there is no data breach. For example, you expect the supplier to have systems in place, such as technological and organisational ones, to keep the data safe and secure. If your online business supplier commits a personal data breach, they should let you, as the controller of that data, know immediately. 

If your online business supplier or processor of personal data breaches data protection rules, you need to know what to do. Your supplier should notify you of a security breach immediately, per the data protection rules and any contract you have with them. You must ask your supplier for as much information about the data protection breach as possible.

Once your eCommerce business, as the controller, has information about the data protection breach by your supplier, you must assess whether it is a ‘serious personal data breach’. If so, there is a legal requirement to let the Information Commissioner’s Office (ICO) know without unnecessary delay and at least 72 hours after your supervisor tells you about the data breach. 

If the data protection breach means there is a high risk of negatively affecting your customer’s rights and freedoms, you should tell them about it without unnecessary delay. Ultimately, you should take advice from a legal professional if your online business supplier breaches the data protection rules and affects you as an eCommerce business. 

Key Takeaways

Data protection rules control how businesses like your eCommerce business use and process data. Failing to comply with these rules can result in a data protection breach. This can mean a penalty for your business, such as a fine. If you pass personal data to another online business, they are the data processor or supplier. Your online brand is the data controller as you choose what data to pass them and instruct them. 

For example, if they pass the names and addresses of your customers to an online business that you use to deliver the purchases. If your online business supplier or processor of personal data has a data protection breach, they must notify you as the controller immediately. You will need to assess if it is a ‘serious personal data breach’ and, if so, let the ICO know. You must also inform your customers if the breach affects their rights and freedoms. If you need help understanding what you can do if your online business supplier breaches data protection rules.

For more information, LegalVision’s experienced eCommerce lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.