GDPR and Privacy Policy Changes

Posted by Stephen on 10th December 2017

GDPR and Privacy Header Image

GDPR (the General Data Protection Regulations) will come into force in the UK on 25th May 2018. The new legislation will significantly increase the regulation, and policing of data security and data processing. As a result, the GDPR and privacy policies are currently hot topics.

The GDPR Regulations give significantly more rights to the owner of the data (the ‘data subject’). There are also significantly greater fines and penalties for businesses collecting and using an individual’s data.

As a result, it will be necessary for all businesses that have an online presence to update their existing websites’ privacy policies to cover the GDPR.

To Whom Do the Changes Apply?

Any business that collects personal data must ensure that they properly update their Privacy Policy, so that it complies with the additional requirements of GDPR. ‘Personal data’ is essentially any information from which an individual can be identified either directly or indirectly.

In many instances this will be an individual’s name and email address. If you are just obtaining a business email address which does not include an individual’s name, then that does not count as personal information.

Bear in mind that, if your website focuses on business-to-business, some small business owners still use their personal email address, which will count as personal data if they can be identified from it, i.e. if it includes their name. (This is a significant change from the rules under the Data Protection Act 1998, when such a business email address would not have been classed as personal data.)

Be safe – update your privacy policy, whether you sell B2C or B2B. We have just updated our website Privacy Policy Template to incorporate the changes that are required to keep your website legally compliant.

For those who prefer to do make the changes themselves, we set out below the key changes that need to be made to websites’ privacy policies to make sure that come May 2018 they are up-to-date.

The GDPR and Privacy Policies

All privacy notices that a business issues will have to be ‘transparent, concise and easily legible’, as well as being written in clear, plain English. No room for legal jargon!

With this in mind you need to consider:GDPR Changes Image

  • Where is the privacy policy located? It needs to be easily identifiable which means including it within your website terms of use is not an option. Linking to it from the footer of the website will remain sufficient.
  • How clearly written is the privacy policy? The wording of the policy needs to be clear. This means that it not only has to be written in plain English, but matters, such as the size of the font and the formatting of the page itself, now become relevant.

So if your privacy policy is overly wordy, then you need to look at it. Can you say what you are saying in a clearer, more concise manner?

Increased Provision of Information

As well as providing additional rights to the data subject, a key aspect of the GDPR is the provision of information to the data subject. GDPR sets out very specific requirements for what information you must provide to data subjects in the privacy notice. These include:

1. The identity of the data controller

This will be you as the party that collects the data subject’s information. An individual has a right to know the identity of the legal entity that is collecting their data.

2. What choices the data subject has

The principle of ‘fair processing’ under GDPR requires that individuals must have control of their personal data. You must:

  • give individuals the option to request the deletion of their personal data; and
  • tell them how they can do that.

3. What information you are collecting

You will need to be very specific about what data you collect from the data subject. Most frequently, this will be their name, address and email, as you, as the business, need this to fulfil the purpose for which the data subject provided their information to you.

4. How long you will keep the personal data

Under GDPR, privacy policies must advise individuals how long their data will be kept for. If you cannot determine this, then you must notify the data subject within the Privacy Policy of the reason why. You can no longer simply state that the data will be kept ‘for as long as is necessary’!

5. Why you are collecting the information

It is now necessary for you to set out exactly why you are collecting the personal information from the data subject. This may be to provide them with the download/ guide or service that they have requested. Be specific. As the ICO states, you should map out your data processing functions and then list the specific purposes for which the information provided will be used.

6. How long will the data be used and kept for

The new requirements state that an individual must now be notified as to how long their data will be kept. The time period must be reasonable and directly related to the purpose for which you collected the data. This may be very different, depending why you collected the data.

7. Who will you share the information with

As the party that collects the data (the ‘Data Controller’) you will be intending to do something with that data. In many instances you will need to pass that data to a third party to carry out the function. That party is a ‘Data Processor’. It is your responsibility to tell the data subject who will be processing data on your behalf. It may also be the case that you will process the data internally. If so, you need to state that too.

8. Transfer of personal data outside of the EEA

You must notify the individual if you might transfer their data outside of the European Economic Area (EEA). There is the assumption that countries, that themselves are not bound by GDPR, may offer weaker protections.

Accordingly, an individual must be notified if this will be the case. Then they have the choice as to whether they wish to provide the data and so consent to this.

Many businesses will transfer the data that they collect to a third party to process that data. For example, this happens when passing data to a payment processing company. Also it occurs when a company does marketing for your business.

More and more businesses use cloud storage services. Often they will store their customer data with a company based outside of the EEA.

GDPR Data Protection Image

Data Subjects’ Rights – to go in GDPR-Compliant Privacy Policies

Under GDPR, privacy policies must tell the data subjects what rights they have. These rights extend to:

  • The right to request that you delete, correct or bring their data up-to-date;
  • Request that you transfer their data to another party (this is part of the data portability requirement);
  • That they have the right to complain to a supervisory body and who that body is.

As you can see from the above, the information that you must provide to a person via your website is extensive. It is significantly more detailed than the previous requirements under the Data Protection Act 1998. However armed with the above information, you are now well-placed to update your privacy policy notice so it is GDPR-compliant.

Alternatively, you can download our GDPR-compliant privacy policy template, which makes provision for all of the areas that you need to complete and comes with a detailed guide to walk you through completing the policy.

General Data Protection Regulations Footer Image