Understanding Data Protection (UK GDPR)

Understanding Data Protection (UK GDPR)

If your business collects any information about people — names, email addresses, order details, even website visit data — you are handling personal data. In the UK, that means data protection law applies to you, even if you are 14 and selling handmade bracelets from your kitchen table.

This guide explains UK GDPR in plain language, covers the extra rules that exist to protect children, and shows you exactly what you need to do to stay on the right side of the law.

What Is UK GDPR?

GDPR stands for General Data Protection Regulation. After Brexit, the UK kept its own version called UK GDPR, which works alongside the Data Protection Act 2018. Together, they set out the rules for how anyone — individuals, businesses, charities — must handle personal data.

Personal data is any information that can identify a living person:

• Name
• Email address
• Home address
• Phone number
• Photos of someone
• IP addresses
• Order history
• Even a username if it can be linked back to a real person

Does This Apply to My Small Business?

Yes. UK GDPR applies to any organisation — regardless of size — that processes personal data. If you take orders and have a list of customer names and addresses, you are processing personal data.

The only exception is purely personal or household activity (like keeping a personal address book for friends). Once you are using data for business purposes, the rules kick in.

The Seven Principles

UK GDPR is built on seven principles. You do not need to memorise legal definitions, but you do need to understand what they mean in practice:

The ICO Children's Code (Age Appropriate Design Code)

The Information Commissioner's Office (ICO) is the UK's data protection regulator. In 2021, they introduced the Age Appropriate Design Code — sometimes called the Children's Code. This is a set of 15 standards that apply to online services likely to be accessed by under-18s.

Why this matters to you: If you build a website, app, or online service and children might use it, you need to follow these standards. Even if your customers are adults, if under-18s could reasonably access your site, the Code applies.

Key standards from the Children's Code:

• Best interests of the child — the child's wellbeing should come first in any design decision
• Data protection impact assessments — for new products or features, think about the risks to children's data
• Age-appropriate application — consider the age range of your users and tailor your approach
• Transparency — explain your data practices in language children can understand
• Detrimental use of data — do not use children's data in ways that could harm them
• Policies and community standards — uphold your published terms
• Default settings — privacy settings should be set to the most protective level by default
• Data minimisation — only collect what you need (this principle is extra important with children's data)
• Data sharing — do not share children's data unless you have a compelling reason
• Geolocation — location tracking should be off by default
• Parental controls — where appropriate, give parents visibility
• Profiling — do not profile children for marketing purposes by default
• Nudge techniques — do not use design tricks to get children to hand over more data
• Connected toys and devices — if applicable, follow specific security standards
• Online tools — provide easy-to-use tools for children to exercise their data rights

In practice for most teen businesses: Keep it simple, collect minimal data, be transparent, and do not use clever tricks to get people to share more than they need to.

What Data Can You Collect?

Here is a practical breakdown:

You CAN collect (with a lawful basis):

• Customer name and delivery address (to fulfil orders)
• Email address (for order confirmations and, with consent, marketing)
• Payment information (handled by Stripe — you never see or store card details)
• Order history (for customer service and accounting)

You should NOT collect:

• Date of birth (unless legally required, e.g. age-restricted products)
• School name or year group
• Social media passwords
• More information than you need for the transaction

You must NEVER:

• Sell customer data to anyone
• Share customer lists with friends or other businesses without explicit consent
• Keep data after you no longer need it (e.g. delete customer details if they ask you to)

Lawful Bases — Why You Can Process Data

UK GDPR says you need a lawful basis for processing personal data. The two most relevant for teen businesses are:

1. Contract — you need the data to fulfil an order. If someone buys a product, you need their name and address to deliver it. This is straightforward.

2. Consent — the person has freely agreed to you using their data for a specific purpose. This is what you need for marketing emails. Consent must be:

• Freely given — not forced or bundled with something else
• Specific — "I agree to receive marketing emails from Bloom Candles" (not just "I agree to everything")
• Informed — the person knows what they are agreeing to
• Unambiguous — a clear opt-in action (not a pre-ticked box)
• Easy to withdraw — they can unsubscribe at any time

Writing a Privacy Notice

Every business that collects personal data should have a privacy notice (sometimes called a privacy policy). This is a document that tells people:

• Who you are — your business name (not your full personal name — see Guide 29)
• What data you collect — be specific
• Why you collect it — the purpose and lawful basis
• How you use it — order fulfilment, marketing, etc.
• Who you share it with — e.g. Royal Mail for delivery, Stripe for payments
• How long you keep it — e.g. "We keep order records for 6 years for tax purposes"
• Your customers' rights — they can ask to see, correct, or delete their data
• How to contact you — your business email

A simple privacy notice for a teen business might be 300-500 words. It does not need to be written in legal language. The ICO specifically encourages clear, plain English — especially if children might read it.

Cookie Consent

If you have a website, you probably use cookies — small files that websites store on visitors' computers. Common examples:

• Essential cookies — needed for the site to work (e.g. keeping items in a shopping cart)
• Analytics cookies — track how people use your site (e.g. Google Analytics)
• Marketing cookies — used for targeted advertising

The rules:

• Essential cookies do not need consent (but you should mention them in your privacy notice)
• Analytics and marketing cookies do need consent — you must ask visitors before setting them
• A cookie banner that says "By using this site you agree to cookies" is not valid consent. Users must be able to choose.

For most teen businesses: If you use a simple website builder like Shopify or Wix, cookie consent tools are often built in. If you have a custom site, add a simple cookie consent banner that lets visitors accept or reject non-essential cookies.

Your Customers' Rights

Under UK GDPR, people have specific rights over their data:

• Right of access — they can ask to see what data you hold about them
• Right to rectification — they can ask you to correct inaccurate data
• Right to erasure — they can ask you to delete their data (also called "the right to be forgotten")
• Right to object — they can ask you to stop processing their data for marketing

If a customer exercises any of these rights, you must respond within one month. In practice, for a small business, this usually means sending them a copy of their order information or deleting it from your records.

Practical Steps for Teen Entrepreneurs

Here is your checklist:

1. Audit your data. Make a list of all the personal data you collect. For each item, write down why you need it.

2. Write a privacy notice. Keep it simple, honest, and in plain English. Put it on your website and link to it from your order forms.

3. Get proper consent for marketing. If you want to send newsletters or promotional emails, add a clear opt-in checkbox (not pre-ticked) at checkout or sign-up.

4. Keep data secure. Use strong passwords. Do not share spreadsheets containing customer data over social media or messaging apps. Use encrypted services where possible.

5. Only keep data as long as you need it. Order records should be kept for 6 years (HMRC requirement). Marketing consent records should be kept as long as the consent is active. Delete everything else.

6. Have a plan for data requests. If someone emails asking what data you hold about them, know where to look and how to respond.

7. Use trusted third parties. Stripe for payments, Royal Mail for shipping, Mailchimp or Resend for emails — these companies have their own GDPR compliance, which protects you too.

Key Takeaways

• UK GDPR applies to you — size and age do not matter. If you handle personal data, you have obligations.
• Collect only what you need — the less data you hold, the less risk you carry
• Be transparent — a simple privacy notice in plain English is all you need
• Consent for marketing must be freely given — no pre-ticked boxes, no bundled consent
• Keep data safe — strong passwords, no sharing via social media, delete when done
• Customers have rights — they can ask to see, correct, or delete their data, and you must respond within a month
• The ICO Children's Code sets a higher bar for services accessed by under-18s — default to the most protective settings