Are you processing personal data through your website in order to faciliate commerce? In simpler terms, are you asking customers to provide information about themselves through your website, app, or email addess, followed by using that information in order to carry out your business?
One of the questions of the self-assessment written by the Information Commissioner’s Office (ICO) states: “Do you only process personal data for staff administration, advertising, marketing or public relations, or accounts or records?” Another states: “Do you process individuals’ information for advertising, marketing or public relations?” And: “Do you process individuals’ information for accounts or financial records?” If the answer to any of these is ‘no,’ then you need to register with the ICO. If you are meant to register but have not, the ICO might come knocking on your door with more than just a slap on the wrist.
Of key interest to online retail store owners would be the last question about accounts and financial records, and the ICO provides guidance on this in the self-assessment:
You should answer ‘Yes’ if you:
- only process information necessary for undertaking and managing transactions with your suppliers and customers; and
- only share the information with people and organisations necessary to do this. Important – if individuals give you permission to share their information, this is also allowed; and
- keep the information while you have a relationship with the supplier or customer it refers to or as long as necessary for your accounts and financial records.
So as long as you are doing just the above, this should be sufficient, but in case of any doubt, seek legal assistance. Just as well, the other aspects of the assessment must be met properly regarding communications (advertising, marketing, and public relations). It may be prudent to register with the ICO voluntarily, which can indeed be considered to be a mark of integrity and credibility with customers who can have confidence their personal data is used in accordance with the law. Don’t forget to secure your data, too.