Chykalophia Docs
Security

Data privacy basics for your business

A plain-English introduction to data privacy — what data your business likely holds, your responsibilities, and how to handle it well.

securityprivacyintermediate

Data privacy is about how you collect, store, use, and protect information about your customers, staff, and visitors. It matters for legal reasons — most countries have privacy laws with real penalties — and for trust reasons: people expect their information to be handled responsibly.

You don't need to become a lawyer. You do need to understand the basics.

Quick summary

Your business probably collects personal data through your website (contact forms, analytics, cookies), your customer database, and your email list. You are responsible for protecting that data, being transparent about how you use it, and allowing people to request its deletion. A privacy policy on your site, consent for marketing emails, and basic data security are the minimum for most businesses.

What counts as personal data?

Personal data (also called personally identifiable information, or PII) is any information that can be used to identify a specific person. This includes:

  • Names, email addresses, phone numbers
  • Physical addresses
  • IP addresses (which your website likely collects automatically)
  • Payment information
  • Photos or videos of individuals
  • Any combination of details that identifies someone

If your website has a contact form, an email list, or any kind of account system — you are holding personal data.

Data privacy laws: the landscape

LawWho it applies toWhat it requires
GDPR (EU)Any business that collects data from people in the EU, regardless of where the business is basedConsent, right to access, right to deletion, data protection measures
CCPA (California)Businesses that collect data from California residents (with thresholds)Right to know, right to opt out of sale, right to deletion
PIPEDA (Canada)Organizations collecting personal data in CanadaConsent, accuracy, access, security
Other state/national lawsVariesMost follow similar principles

This is not legal advice

Data privacy law is complex and jurisdiction-specific. This guide gives you a foundation — but if you collect significant amounts of personal data, sell products in multiple countries, or have questions about compliance, consult a lawyer or a privacy professional.

The data your business likely holds

Think through each of these:

  • Contact form submissions — names, emails, messages
  • Email marketing list — names, emails, possibly purchase history or preferences
  • Customer records — order history, shipping addresses, payment history
  • Website analytics — anonymous by default in Google Analytics (especially in GA4), but includes IP addresses
  • Cookies — can identify returning visitors
  • Staff information — if you have employees, you hold their personal data too
  • Social media interactions — if you run ads or competitions

Your responsibilities

Have a privacy policy

Your website needs a privacy policy that explains:

  • What data you collect
  • Why you collect it
  • How long you keep it
  • Who you share it with
  • How people can access or delete their data
  • How to contact you with privacy requests

A privacy policy generator (like Iubenda or Termly) can create a compliant policy for your business type. We recommend getting a lawyer to review it if you handle significant amounts of data.

In most jurisdictions, you need explicit consent before adding someone to a marketing email list. This means:

  • A pre-ticked checkbox does not count as consent
  • People need to actively opt in
  • You need to keep a record of when and how they consented

This is sometimes called permission-based marketing or opt-in marketing.

If your site uses cookies beyond strictly necessary ones (analytics, advertising, personalization), you need to inform visitors and get consent in many jurisdictions. A cookie consent tool handles this automatically.

Respond to data requests

If someone asks to:

  • See what data you hold about them
  • Correct inaccurate data
  • Delete their data ("right to be forgotten")

You are generally legally required to respond, usually within 30 days. Keep records of these requests.

Protect the data you hold

Holding personal data creates a responsibility to protect it:

  • Use strong passwords and 2FA on systems that hold customer data
  • Don't send unencrypted personal data in plain-text emails when avoidable
  • Limit who in your team has access to customer data
  • Delete data you no longer need

What to do after a data breach

If you believe personal data has been accessed without authorization:

  1. Assess what data was involved and how many people
  2. Secure the breach — stop any ongoing access
  3. Check your legal obligations for reporting (GDPR requires reporting to your data authority within 72 hours in many cases)
  4. Consider whether to notify affected individuals
  5. Consult a lawyer

See also What to do if your site is hacked.

Common questions

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Learn more

Device & Wi-Fi security basics

Simple steps to keep the computers, phones, and networks your team uses every day secure against common threats.

Your business security checklist

Everything you need to secure your business online, on one page — work through it section by section and tick off each item.

On this page

What counts as personal data?Data privacy laws: the landscapeThe data your business likely holdsYour responsibilitiesHave a privacy policyGet consent for marketing emailsDisplay a cookie bannerRespond to data requestsProtect the data you holdWhat to do after a data breachCommon questionsRelated guidesLearn more
Data privacy basics for your business | Chykalophia Docs