Getting Ready for the GDPR

In the latest instalment of our series of new and updated content designed to help you prepare for the GDPR, our Website Privacy Policy templates have now been updated. The GDPR is designed to bring data protection legislation up to speed with modern technology and modern uses of personal data - many of which were either very new back in 1998 when the Data Protection Act came into force, or were yet to be imagined.

Among the key requirements of the GDPR is that of “fair processing notices” or, put more simply, privacy notices or privacy policies. If you collect personal data through your website (and remember, things that were not considered personal data under the 1998 Act, such as IP addresses and other online identifiers, will qualify as personal data under the GDPR) it is important to tell your visitors and customers what data you are collecting and how you are using it.

More Informative Privacy Policies

A number of alterations, some minor, some not, have been made to our Privacy Policies. Among the more important changes are:

• New sections providing details of data subjects’ rights under the GDPR (it is important that people are informed of these - it cannot be assumed that they already know about them);
• A space for you to provide the details of your data protection officer (this must be done if you appoint one);
• Expanding on details of how you use personal data, with particular emphasis on data retention (derived from the principle that personal data should not be retained for longer than necessary in light of the purpose(s) for which it was originally collected);
• New references in the templates that include references to cookie controls - essentially requiring affirmative consent from users before any cookies are placed on their computers or devices; and
• New provisions covering data subject access requests - under the Data Protection Act, data controllers (that’s you) could charge a fee for responding, however under the GDPR, unless the request is very complex, the information must be provided to the data subject for free.

It should also be noted that, when providing information about your use of personal data, if individuals are required to provide personal data under a contract or by law, this should be noted in the policy, along with the possible consequences of failing to provide it. Also note that if any automated decision-making (including profiling) is undertaken using personal data, that should also be explained, including how decisions are made, their significance, and their consequences.