1. What is the UK GDPR and how does it apply to my website?
The UK GDPR (together with the Data Protection Act 2018) is the main data protection law in the UK. It governs how organisations can use personal data, and the rights that individuals have in relation to their personal data.
The UK GDPR contains a number of rules relevant to website privacy, including:
Transparency and the right to be informed - the UK GDPR specifies what privacy information you need to tell individuals when you collect personal data from them - this is known as the right to be informed. In addition, one of the fundamental principles in the UK GDPR is the transparency principle - this principle is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data. In relation to website privacy, this means telling website visitors how and why you use their personal data (via a privacy notice).
Lawful basis for processing - in order to collect, use or otherwise process personal data about an individual, you need to have a lawful basis for doing so under the UK GDPR. There are six lawful bases, including consent and legitimate interests. In relation to website privacy, you not only need to determine which lawful basis can be relied upon, but your privacy notice should also include details of your lawful basis for processing.
Security - a key principle of the UK GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’. When building and managing your website, you should ensure that this principle is always considered and adhered to to achieve website privacy, so that personal data that is collected and used on your website is properly protected.
2. Do I need a privacy notice on my website?
Under Article 13 of the UK GDPR, privacy information must be provided to any individuals whose personal data you collect. This is also known as the “right to be informed”. The definition of personal data is the UK GDPR is broad and it means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
This means that almost every website will collect or process personal data. For example, this could be the website visitors' IP address or information that they submit via an online contact form.
If the website collects or processes any personal data, it is a requirement of data protection laws to provide a privacy notice to the website visitors to ensure website compliance. This is key to website privacy and compliance. Find out more about privacy notices by reading this comprehensive guide.
3. What does the privacy notice need to include?
A privacy notice should include the information that is listed in Article 13 of the UK GDPR. This includes:
Controller details - the identity and the contact details of the controller (which will usually be the website owner);
Data protection officer (DPO) - if the company has a DPO, the contact details of the DPO;
Purpose and lawful basis - the intended purposes of the processing of personal data as well as the lawful basis for the processing (and where legitimate interests are relied upon as the lawful basis, details of the specific legitimate interests);
Data sharing - details of the recipients or categories of recipients of the personal data, if any;
International transfers - where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation, including reference to the appropriate or suitable safeguards being used for the transfer;
Retention period - the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period must be included;
Data subject rights - you must tell data subjects what their rights are under data protection laws. This includes the right to request access to and rectification or erasure of personal data, the right to request the restriction of processing concerning the data subject or to object to processing, the right to data portability, the right to withdraw consent at any time and the right to lodge a complaint with the ICO; and
Automated decision-making - if automated decision-making, including profiling, is being used by your company, you must tell data subjects about it.
4. What are cookies and how do I comply with cookie laws?
Cookies (sometimes referred to as "tracking technologies") are small blocks of data downloaded onto a computer or other device when a user visits a website. To comply with data protection laws in the UK and ensure website privacy, if your website avails of cookies, you’ll need to include a cookie notice on your website. Find out more about cookie notices by reading this comprehensive guide.
5. What other legal documents or notices should I include on my website for website compliance?
Company information - your website should include details of your company. This should include: (i) company name; (ii) registered number; (iii) place of registration (e.g. England and Wales); (iv) registered office address; (v) postal address (if it’s different from your registered office); (vi) email address; (vii) contact details by non-electronic means (i.e. by phone or mail); (viii) VAT registration number (if your company is registered for VAT); and (ix) relevant trade bodies or regulatory authorities (if applicable) (e.g. the FCA).
Acceptable use policy - you should have an acceptable use policy on your website where you want a set of enforceable guidelines on how a website visitor can and cannot use your website. This could be particularly useful where the website users have the ability to add their own content to the website (e.g. via a discussion board) as your acceptable use policy can include rules around the type of content that can be added.
Tags: website privacy, website compliance
Docue is trusted by so many growth companies – from sole traders to listed companies.