Guide

Comply with the law when providing goods and services

Customers and data protection

The General Data Protection Regulation (GDPR) applies in the UK from 25 May 2018. Alongside the Data Protection Act 2018, the GDPR introduces new rules on processing and safeguarding personal data.

All businesses that hold, use, store or otherwise process the personal details of customers, potential customers, suppliers, staff or any other business contacts must comply with the GDPR and the Data Protection Act 2018. The Act applies to any records held electronically - for example on computer - or manually such as in a paper file.

If you fail to comply with the principles of the GDPR this may constitute a breach of data protection and leave you open to substantial fines. The GDPR states that infringements of the basic principles for processing personal data could mean a fine of up to €20 million, or 4% of your businesses’ total worldwide annual turnover, whichever is higher. 

Under the Data Protection (Charges and Information) Regulations 2018, you may be required to pay a data protection fee to the Information Commissioner’s Office if you are processing personal data, unless you are exempt. 

The GDPR and the Data Protection Act 2018 require businesses to comply with a number of principles. These include:

  • personal data should be processed fairly and lawfully
  • information must only be used for specified and lawful purposes
  • businesses should only hold on to information they actually need and for no longer than necessary
  • information that is no longer necessary or required should be deleted or destroyed as soon as possible
  • the information must be accurate and up to date
  • the information must be held and processed securely in order to ensure and observe the rights of the data subject

Privacy notices

In order to comply with the Data Protection Act 2018 and the GDPR, you must provide customers with certain information. This information can be contained in a 'privacy notice'. See privacy notices under the GDPR. This privacy notice information should be provided to your customers at the point in time when they provide you with their personal information. It makes sense to do this when they make an order or register an account.

For further information on the implications of the Data Protection Act 2018, read privacy and data protection in marketing.