The GDPR is the General Data Protection Regulation (Regulation (EU) 2016/679), an EU Regulation which will govern processing of personal data across all European Union member states, and by foreign individuals and entities to the extent that they process the personal data of individuals in the European Union.
When is the GDPR coming into force?
25 May 2018.
Which businesses will be affected by the GDPR?
Virtually all businesses will be affected by the GDPR because almost every business collects, stores or otherwise processes personal data for one reason or another. Personal data means any information relating to an identified or identifiable natural person. Under the GDPR, the definition of personal data will be expanded to specifically include online identifiers and IP addresses, amongst other expansions of the definition. Most businesses collect and process some amount of personal data (often without even realising it) via their websites and in the ordinary course of business. The GDPR applies to all such businesses, and businesses should therefore ensure that they are up to speed with their changing obligations and new requirements before the GDPR coming into force, particularly because of the risk of enormous fines for non-compliance.
How does the GDPR affect my business?
Your business will have a range of new compliance obligations to adhere to (failure to do so will risk exposing you to serious fines (see ‘How much are the new fines’ below). These include:
ensuring that, where required, GDPR-compliant consents are obtained for data subjects whose data are processed;
ensuring that all processing activities undertaken by your business are fair and compliant with the new data protection regime;
ensuring that all documentation relating to personal data is clearly accessible on your public website and is complete and transparent;
keeping a register of data processing activities;
implementing ‘privacy by design and by default’ into your processing systems; and
ensuring that your business is capable of effectively responding to any requests by data subjects to exercise their new rights of data portability and data erasure.
Our website documentation, guidance notes and Legal Update Platform, which is available on a subscription basis and includes a free six month trial when you purchase our website documentation, all provide extensive practical advice to enable you to prepare for the GDPR and to avoid the potentially crippling fines for non-compliance.
What is changing?
There are a broad range of changes being introduced by the GDPR. Some of the key changes include:
Increased territorial scope. The GDPR will apply to overseas businesses that process personal data relating to individuals in the EU.
Penalties. The maximum penalties for breaches of data protection law are being increased substantially, from £500,000 up to the higher of €20,000,000 or 4% of annual worldwide turnover.
Obligations for data processors. Data processors will be held accountable for breaches in the same way as data controllers.
Removal of registration requirement with a Data Protection Authority. The requirement to register with a Data Protection Authority (which, for the UK, is the Information Commissioner’s Office (ICO)) will be removed.
New data subject rights. Data subjects will enjoy new rights in addition to the rights they currently enjoy under the existing data protection regime. These include changes to their subject access rights and new rights such as data portability and data erasure rights.
Increased burden to demonstrate compliance. All businesses will not only need to comply with the new requirements of the GDPR, but will also need to demonstrate their compliance. This means having in place up-to-date documentation, systems and procedures and visibly compliant website documentation.
Consent. The existing requirements for obtaining valid consent for the processing of personal data are being strengthened, and consents obtained for data processing under the existing regime may not be valid under the new regime.
Breach notifications. There is a new 72 hour time limit for notifying a Data Protection Authority about certain data breaches.
Transparency. All documentation relating to the data processing activities undertaken by any business must be complete, easy to understand, easily accessible to data subjects, and must set out their rights and specific information relating to the business.
New concepts. The GDPR will introduce a range of new concepts to data protection law, such as privacy by design and by default, pseudonymisation and accountability. Our guidance notes available via our Legal Update Platform provide a full description of these concepts and what they mean for businesses.
How much are the new fines?
The new maximum fines for data protection law breaches are increasing from £500,000 to €20,000,000 or 4% of annual worldwide turnover (not profit) depending on the nature of the breach. Breaches that might attract these higher fines could include failing to obtain the correct consent from data subjects for the processing of their personal data or failing to ensure data is protected and secured by appropriate measures and technology. Our guidance notes provide concise practical advice for how to ensure you do not exposure yourself to the risk of such fines.
Will Brexit affect the GDPR?
No. Brexit will not affect the implementation of the GDPR in the UK because the GDPR comes into force on 25 May 2018, prior to the date when the UK will have left the European Union.
Once the UK has left the European Union, the UK Government will theoretically be free to amend and repeal the GDPR. However, this very unlikely to occur as the UK has generally been supportive of European Union data protection legislation and repealing or watering down the provisions of the GDPR could have adverse consequences for businesses wishing to continue to trade with the European Union following Brexit. Moreover, the UK Parliament is already preparing to implement the GDPR through national legislation in the form of a new Data Protection Act, so the GDPR looks set to remain part of UK law, whether directly or indirectly, for the foreseeable future.
My website developers do all my IT work, can’t I leave this to them?
No. Your business is responsible for its own data processing activities, even where third parties are involved. Website developers will only have limited control (if any) over the data processing carried out by your business, and so they are unlikely to be able to resolve your practices to conform to the new regime. Responsibility for data protection compliance cannot be assigned to a web developer or other third party; your business alone is responsible for ensuring that your practices, procedures and documentation are in order.
We provide the most comprehensive and best value GDPR-compliant document package available. Here are just a few of the key benefits:
Most compliant. All of our documentation has been specifically drafted to comply with the GDPR and to provide you with as much legal protection for your business as possible. We have even gone the extra mile and had our documents reviewed by a US attorney to ensure their compliance with relevant extra-territorial non-EU legislation, such as the The California Online Privacy Protection Act (CalOPPA), as well as the Children’s Online Privacy Protection Act (COPPA). Our products far exceed the quality of other templates available online, many of which have not been reviewed or approved by a solicitor, attorney or lawyer and which fail to comply with relevant legislation, putting your business at risk of enormous fines and penalties.
Most flexibility. Our documents and guidance notes describe the full range of options available to you to achieve compliance with relevant UK and EU legislation, while focusing on the most straightforward, convenient and low-cost options, saving you both time and money.
Best guidance available. No competitor offers anywhere near as much useful guidance for tailoring the documentation to your website and business. This can save you huge sums of money in legal fees, which quickly and easily run into the thousands of pounds.
Best value. No competitor offers you the level of comprehensive documentary protection, advice and resources for the price of our website documentation. The only real alternative for getting high quality documentation for your website is to find a reputable data protection specialist or lawyer, which often costs thousands of pounds, so purchasing our website documentation is your easiest and most cost-effective solution by far, saving you an estimated 90-95% off the cost of a solicitor or lawyer.
Independently verified. Our template documents have been reviewed for suitability and GDPR compliance by not only ourselves but also by an independent UK solicitor, UK barrister. We have also had our documents reviewed for compliance with relevant US legislation by a US attorney. No other document provider can claim this level of investment in their document templates.
ICO and Article 29 Working Party Guidance considered. Our documents have been prepared using the latest
ICO and Article 29 Working Party guidance available. Our documentation is therefore not just compliant but effectively ‘gold-plated’, allowing you to go further than your competitors and adopt best practice, offering your business even greater protection and improving customer trust and confidence. Moreover, when it comes to enforcement, the ICO has stated that it will consider whether a business has followed best practice when considering whether a business has breached data protection law.
How can I be sure that the documents comply with the GDPR?
Unlike other companies purporting to offer similar documents, we haven’t just taken old documentation and made minor adjustments. Our documents and guidance notes were drafted from scratch for the specific purpose of complying with the GDPR. We have done this because we believe it is the only way to provide the highest possible level of compliance with the GDPR and to visibly demonstrate your compliance with the new regime. Moreover, all of our documentation has been carefully considered each of the relevant provisions of the original legislation as well as official guidance from the ICO and the Article 29 Working Party.
If that were not enough, we have also had our documents reviewed and approved by a UK solicitor and UK barrister and by a US attorney for compliance with US legislation. You can therefore rest assured that with our website documentation, you will be using the latest, most up to date and state of the art documentation for your website.
Can I modify the documents myself?
Yes, the documents we provide are templates and you must tailor them to ensure that they are relevant to your particular website and business. While we have prepared the documents for use by the vast majority of websites and businesses, they will invariably need to be tailored to the specific features and functionality of your website and for what your business does with personal data. The cookies policy, for example, will require you to delete references to any types of cookies that you do not intend to use. All such adjustment options are made clearly visible in the documents themselves, and explained in full in the guidance notes accompanying them, so you should be able to do this yourself.
If you require modifications outside of the scope of the original documents and guidance notes, these are also possible, but we will not be able to guarantee that any such modifications that you make yourself will be compliant or fit for purpose. In this situation we would always recommend seeking appropriate advice. We offer a bespoke document tailoring service, so please feel free to contact us at firstname.lastname@example.org and we can provide you with a quote.
How will I get access to the documents?
When you purchase your document package, the latest versions of all documents and guidance notes will be immediately downloadable or sent within 24 hours to the email address that you provided at checkout. If you have not received the documents within that time period, please email us at email@example.com.
If you have purchased a subscription or taken out a free 6 month trial to our Legal Update Platform, you will be provided with unique login information to the customer area of our website. Once you have logged in, you will have access to the latest versions of all the documents, all guidance notes, and all the additional content available exclusively to subscribers, such as legal updates, summary guidance notes on new information provided by the data processing authority, and template responses to data subject requests.
Why do I need documentation on my website?
they contain mandatory information which website owners are required by law to provide to their website users;
they set out the basis on which users are permitted to access, use and interact with the website and prohibit undesirable or unlawful conduct and any harmful practices;
they exclude the website owner’s liability to users and third parties as far as legally possibly, including liability for inaccuracies, user-generated content and content on any linked sites;
they describe the availability of the website and exclude representations of suitability for purpose and viewing on different platforms;
they detail any requirements for registering on the site (such as age restrictions); and
Our cookies policy and accompanying guidance note is one of the best available and can help you with all of these issues, providing you with the practical advice you need to tailor your cookies policy to your website’s specific requirements as well as to the latest software and third party cookies commonly used by websites today (such as Google Analytics, Facebook Pixel, and more).
I already have terms and conditions for purchases made on my website; Why would I need another set of terms and conditions?
Why do I need legal updates?
Even the best and most carefully drafted documents need to be updated to reflect changes in law.
The law is constantly changing and although major changes in law like the GDPR do not come round often, the interpretation of laws changes over time as new decisions are made by judges in court cases, exemptions in national and secondary legislation are applied, and new guidance from regulators like the Information Commissioner’s Office (ICO) or interpretative bodies like the Article 29 Working Party are issued. Therefore, while all of our documentation has been drafted for compatibility with the GDPR and all other applicable legislation at the time of purchase, our documents will invariably be required to be updated for new laws affecting websites (e.g. the new e-Privacy Regulation), the new Data Protection Act being prepared by Parliament, changes in law as a result of Brexit and continually changing interpretations of the law. We provide periodic updates of our guidance notes to describe the latest official practices and upload regular content to assist businesses with new methods of ensuring that their data processing activities are fully compliant with applicable legislation.
It is essential for all businesses dealing with personal data to remain up to date and to ensure that their documentation and practices accord with the latest interpretations of the legislation and changes in law so they can ensure compliance and avoid potentially catastrophic and crippling fines. At only £25 +VAT per year, our Legal Update Platform is the most cost-effective way to achieve ongoing legal compliance for your website and costs a fraction of what it would cost to pay a solicitor or other professional to provide you with a similar service.
What will I get from my legal update platform subscription?
Our Legal Update Platform subscription includes:
access to the latest versions of all guidance notes to help you adapt of all our website documentation for your website. These contain up-to-date and user-friendly tips and advice to help you ensure that your documents and practices comply with relevant data protection rules;
template response letters to help you respond to subject access requests, saving you precious time and money when handling such a request;
guidance notes for handling subject access requests, ensuring you know what you have to provide and when you have to provide it by;
practice notes on key GDPR issues such as consents, cookies, reporting breaches and pseudonymisation (amongst others);
legal updates following developments in case law, ICO guidance and secondary legislation, outlining their impact clearly and simply and setting out any practical steps you need to take as a consequence; and
regulatory guidance summaries, concisely outlining the key points from ICO guidance, so you can take relevant actions quickly and effectively and avoid the need to read through lengthy guidance notes.
How much does the legal update platform subscription cost?
Subscriptions are incredibly affordable and cost-effective at just £30 + VAT a year! In addition, customers who purchase our document packages will also be given the opportunity to enjoy a 6-month free, no obligation trial period for all subscription content.
How often will legal updates be provided?
The rate at which legal updates are provided varies based on a range of factors, but primarily based on the rate at which the law changes or relevant guidance from the ICO or Article 29 Working Party is issued.
We will update our document templates following any relevant changes in law and update our guidance notes regularly, at least every time new guidance materials are published by the ICO or other authorities, or whenever new case-law affects a relevant practice. We will add summaries of new regulatory materials whenever they are published, and will generally add new additional content as often as possible to answer questions we frequently receive and to provide helpful advice in relation to key topics in data protection such as marketing, cyber-security and consent.
Will I be notified when updates are available?
Yes. All subscribers to our Legal Update Platform will receive email notifications every time we update or upload new documents, so you will be aware of any changes as soon as we make them.
We are also working on a new system that will allow subscribers to select their own preferences for when they wish to receive notifications. If you only want to hear about new versions of the template documents and not the guidance, that’s fine!
How can I show that my documents are up to date?
Use of our website documentation is a significant and meaningful way in which you can demonstrate compliance to your customers, competitors, and data protection authorities as well as showing them that you are aware of the new legislation and have taken steps to comply.
What does it mean when I display the logo?
that you have adopted GDPR compliant website documentation and care about your ongoing legal compliance obligations;
that your business has received essential advice from a specialist data protection advisory and consultancy service as to how to align its online activities, websites and data processing procedures with compliant practices and that you are concerned with your continuing compliance obligations;
that your business takes data protection seriously, and takes care to safeguard the privacy rights and best interests of its customers and clients;
that your website documentation is innovative, modern and up-to-date; and
that your business will be made aware of future changes in law, and will be provided with the means to react to any changes to stay ahead of the curve and your competitors with data protection compliance.
Where can I use the logo?