Data Management Do’s and Don’ts (May 2024)

A super website can be a great resource for all types of equestrian businesses – from full e-commerce retailers, to riders or bespoke suppliers wishing to provide a snapshot of what they offer, they offer a flexible and engaging shop window.

However, while a web-developer can advise you on the technical aspects, too often the legal aspects of maintaining and operating a website are overlooked. So – this month, it’s a whistle-stop guide to the main legal and compliance requirements, and how you can ensure that you have these documents safely in place.

Data, data, all about the data… Privacy policies and cookie policies

The vast majority of websites will track data either openly – by asking visitors to sign up to mail lists, or provide customer information to create an account – or by collating information about users’ online behaviour, such as IP addresses and web log data. Under the UK General Data Protection Regulation (GDPR), businesses must comply with its transparency requirements. This means that all data controllers (in this case, the business which owns the website) must notify data subjects (website visitors) about how their personal data is handled at the time that data is collected.

Personal data is any information about an individual from which that person can be identified – so, name, contact information, date of birth, profile data, financial data (such as payment cards), marketing data and usage data are all forms of personal data.  

Notification under the UK GDPR is usually effected by ensuring that the website has a privacy policy, which informs customers about how the business collects, uses, stores, transfers and secures their personal data. In addition, a cookie policy notifies visitors about how technical information about their online activity is recorded.

Each businesses’ use of personal data differs – so any policy should be prepared by someone with a good understanding of how the business holds and uses the personal data it gathers. A privacy policy should be clearly visible as a link on all pages of the website, usually as a header or footer, and also at any point of sale – together with the terms and conditions.

A cookie policy should appear as soon as you arrive on a website; and provide the visitor with options as to what purposes a website uses cookies for, and seek their consent to the use and storage of cookies.

The Information Commissioner’s Office

The ICO is the UK’s independent body, set up to uphold information rights. It provides helpful guidance for smaller and developing businesses as to their obligations in relation to data capture. Registration is mandatory for every organisation or sole trader who processes personal information in any way, unless they benefit from a specific exemption.

The website (www.ico.org.uk) holds lots of helpful information and resources for small businesses getting to grips with their use of and obligations in respect of, personal data, whether online or via direct sales and interactions. The ICO is also the body to which customers might complain if they feel that their personal data has been handled inappropriately, or if an organisation experiences a personal data breach. With the ICO becoming increasingly proactive in enforcing compliance with the UK GDPR and the Privacy and Electronic Communications Regulations (PECR), it is wise to ensure that your businesses’ privacy and cookie policies are up to date with current law.

Future changes

The Data Protection and Digital Information bill (DPDI) is currently working its way through the governmental approvals process. It seeks to reduce the data compliance requirements on smaller organisations, and overhauls certain of the ICO’s objectives. While negotiation between the government and stakeholders is ongoing, it is worth keeping an eye on the impact of developments for smaller businesses.

To conclude – while a smart website is a super resource for your business, it is important to ensure that you properly understand your obligations at law in relation to any personal data you may capture as part of your operations – from e-commerce to running a mail list for updates.

First published in Equestrian Trade News in May 2024. Aria Grace Law CIC undertakes no obligation to update this information following publication.