THE GDPR

THE GDPR 2018-01-28T18:03:39+00:00

THE GDPR

The GDPR is the General Data Protection Regulation (Regulation (EU) 2016/679), an EU Regulation which will govern processing of personal data across all European Union member states, and by foreign individuals and entities to the extent that they process the personal data of individuals in the European Union.
Virtually all businesses will be affected by the GDPR because almost every business collects, stores or otherwise processes personal data for one reason or another. Personal data means any information relating to an identified or identifiable natural person. Under the GDPR, the definition of personal data will be expanded to specifically include online identifiers and IP addresses, amongst other expansions of the definition. Most businesses collect and process some amount of personal data (often without even realising it) via their websites and in the ordinary course of business. The GDPR applies to all such businesses, and businesses should therefore ensure that they are up to speed with their changing obligations and new requirements before the GDPR coming into force, particularly because of the risk of enormous fines for non-compliance.
Your business will have a range of new compliance obligations to adhere to (failure to do so will risk exposing you to serious fines (see ‘How much are the new fines’ below). These include:

  • ensuring that, where required, GDPR-compliant consents are obtained for data subjects whose data are processed;
  • providing up-to-date and accurate information in privacy policy notices, including about the personal data you process, why you process it, the legal grounds you rely on for such processing and new and enhanced subject access rights;
  • ensuring that all processing activities undertaken by your business are fair and compliant with the new data protection regime;
  • ensuring that all documentation relating to personal data is clearly accessible on your public website and is complete and transparent;
  • keeping a register of data processing activities;
  • implementing ‘privacy by design and by default’ into your processing systems; and
  • ensuring that your business is capable of effectively responding to any requests by data subjects to exercise their new rights of data portability and data erasure.

Our website documentation, guidance notes and Legal Update Platform, which is available on a subscription basis and includes a free six month trial when you purchase our website documentation, all provide extensive practical advice to enable you to prepare for the GDPR and to avoid the potentially crippling fines for non-compliance.

There are a broad range of changes being introduced by the GDPR. Some of the key changes include:

  • Increased territorial scope. The GDPR will apply to overseas businesses that process personal data relating to individuals in the EU.
  • Penalties. The maximum penalties for breaches of data protection law are being increased substantially, from £500,000 up to the higher of €20,000,000 or 4% of annual worldwide turnover.
  • Obligations for data processors. Data processors will be held accountable for breaches in the same way as data controllers.
  • Removal of registration requirement with a Data Protection Authority. The requirement to register with a Data Protection Authority (which, for the UK, is the Information Commissioner’s Office (ICO)) will be removed.
  • New data subject rights. Data subjects will enjoy new rights in addition to the rights they currently enjoy under the existing data protection regime. These include changes to their subject access rights and new rights such as data portability and data erasure rights.
  • Increased burden to demonstrate compliance. All businesses will not only need to comply with the new requirements of the GDPR, but will also need to demonstrate their compliance. This means having in place up-to-date documentation, systems and procedures and visibly compliant website documentation.
  • Consent. The existing requirements for obtaining valid consent for the processing of personal data are being strengthened, and consents obtained for data processing under the existing regime may not be valid under the new regime.
  • Breach notifications. There is a new 72 hour time limit for notifying a Data Protection Authority about certain data breaches.
  • Transparency. All documentation relating to the data processing activities undertaken by any business must be complete, easy to understand, easily accessible to data subjects, and must set out their rights and specific information relating to the business.

New concepts. The GDPR will introduce a range of new concepts to data protection law, such as privacy by design and by default, pseudonymisation and accountability. Our guidance notes available via our Legal Update Platform provide a full description of these concepts and what they mean for businesses.

The new maximum fines for data protection law breaches are increasing from £500,000 to €20,000,000 or 4% of annual worldwide turnover (not profit) depending on the nature of the breach. Breaches that might attract these higher fines could include failing to obtain the correct consent from data subjects for the processing of their personal data or failing to ensure data is protected and secured by appropriate measures and technology. Our guidance notes provide concise practical advice for how to ensure you do not exposure yourself to the risk of such fines.
No. Brexit will not affect the implementation of the GDPR in the UK because the GDPR comes into force on 25 May 2018, prior to the date when the UK will have left the European Union.

Once the UK has left the European Union, the UK Government will theoretically be free to amend and repeal the GDPR. However, this very unlikely to occur as the UK has generally been supportive of European Union data protection legislation and repealing or watering down the provisions of the GDPR could have adverse consequences for businesses wishing to continue to trade with the European Union following Brexit. Moreover, the UK Parliament is already preparing to implement the GDPR through national legislation in the form of a new Data Protection Act, so the GDPR looks set to remain part of UK law, whether directly or indirectly, for the foreseeable future.

No. Your business is responsible for its own data processing activities, even where third parties are involved. Website developers will only have limited control (if any) over the data processing carried out by your business, and so they are unlikely to be able to resolve your practices to conform to the new regime. Responsibility for data protection compliance cannot be assigned to a web developer or other third party; your business alone is responsible for ensuring that your practices, procedures and documentation are in order.

OUR BUSINESS

We provide the most comprehensive and best value GDPR-compliant document package available. Here are just a few of the key benefits:

  • Most compliant. All of our documentation has been specifically drafted to comply with the GDPR and to provide you with as much legal protection for your business as possible. We have even gone the extra mile and had our documents reviewed by a US attorney to ensure their compliance with relevant extra-territorial non-EU legislation, such as the The California Online Privacy Protection Act (CalOPPA), as well as the Children’s Online Privacy Protection Act (COPPA). Our products far exceed the quality of other templates available online, many of which have not been reviewed or approved by a solicitor, attorney or lawyer and which fail to comply with relevant legislation, putting your business at risk of enormous fines and penalties.
  • Most flexibility. Our documents and guidance notes describe the full range of options available to you to achieve compliance with relevant UK and EU legislation, while focusing on the most straightforward, convenient and low-cost options, saving you both time and money.
  • Best guidance available. No competitor offers anywhere near as much useful guidance for tailoring the documentation to your website and business. This can save you huge sums of money in legal fees, which quickly and easily run into the thousands of pounds.
  • Best value. No competitor offers you the level of comprehensive documentary protection, advice and resources for the price of our website documentation. The only real alternative for getting high quality documentation for your website is to find a reputable data protection specialist or lawyer, which often costs thousands of pounds, so purchasing our website documentation is your easiest and most cost-effective solution by far, saving you an estimated 90-95% off the cost of a solicitor or lawyer.
  • Independently verified. Our template documents have been reviewed for suitability and GDPR compliance by not only ourselves but also by an independent UK solicitor, UK barrister. We have also had our documents reviewed for compliance with relevant US legislation by a US attorney. No other document provider can claim this level of investment in their document templates.
  • ICO and Article 29 Working Party Guidance considered. Our documents have been prepared using the latest ICO and Article 29 Working Party guidance available. Our documentation is therefore not just compliant but effectively ‘gold-plated’, allowing you to go further than your competitors and adopt best practice, offering your business even greater protection and improving customer trust and confidence. Moreover, when it comes to enforcement, the ICO has stated that it will consider whether a business has followed best practice when considering whether a business has breached data protection law.

Unlike other companies purporting to offer similar documents, we haven’t just taken old documentation and made minor adjustments. Our documents and guidance notes were drafted from scratch for the specific purpose of complying with the GDPR. We have done this because we believe it is the only way to provide the highest possible level of compliance with the GDPR and to visibly demonstrate your compliance with the new regime. Moreover, all of our documentation has been carefully considered each of the relevant provisions of the original legislation as well as official guidance from the ICO and the Article 29 Working Party.

If that were not enough, we have also had our documents reviewed and approved by a UK solicitor and UK barrister and by a US attorney for compliance with US legislation. You can therefore rest assured that with our website documentation, you will be using the latest, most up to date and state of the art documentation for your website.

Yes, the documents we provide are templates and you must tailor them to ensure that they are relevant to your particular website and business. While we have prepared the documents for use by the vast majority of websites and businesses, they will invariably need to be tailored to the specific features and functionality of your website and for what your business does with personal data. The cookies policy, for example, will require you to delete references to any types of cookies that you do not intend to use. All such adjustment options are made clearly visible in the documents themselves, and explained in full in the guidance notes accompanying them, so you should be able to do this yourself.

If you require modifications outside of the scope of the original documents and guidance notes, these are also possible, but we will not be able to guarantee that any such modifications that you make yourself will be compliant or fit for purpose. In this situation we would always recommend seeking appropriate advice. We offer a bespoke document tailoring service, so please feel free to contact us at info@gdprprivacypolicy.org and we can provide you with a quote.

When you purchase your document package, the latest versions of all documents and guidance notes will be immediately downloadable or sent within 24 hours to the email address that you provided at checkout. If you have not received the documents within that time period, please email us at sales@gdprprivacypolicy.org.

If you have purchased a subscription or taken out a free 6 month trial to our Legal Update Platform, you will be provided with unique login information to the customer area of our website. Once you have logged in, you will have access to the latest versions of all the documents, all guidance notes, and all the additional content available exclusively to subscribers, such as legal updates, summary guidance notes on new information provided by the data processing authority, and template responses to data subject requests.

WEBSITE DOCUMENTATION

The laws of most countries, including the UK, require you to provide a variety of information on your website. For example, the Electronic Commerce Regulations 2002 (SI 2002/2013) require businesses to provide specific information about their identity and other business information. The Data Protection Act 1998, soon to be replaced by the General Data Protection Regulation (GDPR), requires that businesses include privacy notices on their website setting out what a website owner does with personal data they collect from users and how they treat it. Similarly, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) require that website owners notify users about the use of cookies and that they obtain appropriate consent from those users before placing them on their users’ browser or computer.

These laws (as well as numerous other pieces of legislation) mean that website owners need to provide a great deal of information on their websites, usually in the form of a set of terms of use, privacy policy and cookies policy, and links to them on every page of the website.

The General Data Protection Regulation (GDPR) will introduce a broad range of new and specific requirements for privacy policies and these differ substantially from requirements under current law. Many of the new requirements, such as the right to data portability, will not feature in privacy policies which were drafted for the current Data Protection Act 1998. Furthermore, a large amount of regulatory guidance from the Information Commissioner’s Office (ICO) and other legislation governing what should be included in privacy policies has changed over time. Due to the extensive changes which will need to be made to your privacy policy, it is far more efficient and effective to prepare your website for GDPR with a privacy policy specifically designed to comply with it rather than than to try to update an existing privacy policy which was never designed with GDPR compliance in mind. This is all the more the case because of the risk of serious fines for failing to update your privacy policy properly, so you need to be confident that your privacy policy is compliant.
Website terms of use are an important document with several functions:

  • they contain mandatory information which website owners are required by law to provide to their website users;
  • they set out the basis on which users are permitted to access, use and interact with the website and prohibit undesirable or unlawful conduct and any harmful practices;
  • they exclude the website owner’s liability to users and third parties as far as legally possibly, including liability for inaccuracies, user-generated content and content on any linked sites;
  • they describe the availability of the website and exclude representations of suitability for purpose and viewing on different platforms;
  • they detail any requirements for registering on the site (such as age restrictions); and
  • they incorporate other important policies and documents by reference, such as the privacy policy, cookies policy and (where applicable) terms of sale.
The vast majority of websites, even those with limited or no interactive functions, place cookies on users’ browsers or computers every time they visit the website. There are numerous different types of cookies, all with different functions, and not all of which are fully in the control of the website owner. With very limited exceptions, website owners are required to notify users of the types of cookies and purposes for which they are used and to collect an appropriate form of consent for their use. Cookies policies, together with pop-up notifications, are a necessary and effective method of obtaining the appropriate consent for the use of cookies on your website.

If you are unsure whether you use cookies on your website, you should check using appropriate tools or contact your website developer. If you use Google Analytics, Google Adwords, Facebook Pixel or any other tracking technology on your website, you are required by law and by those third parties’ terms and conditions to have a cookies policy setting out how you use those technologies. If you embed videos, chat functions, comments sections, contact forms or any other third party functionality on your website, it is highly likely that you will need a cookies policy.

Our cookies policy and accompanying guidance note is one of the best available and can help you with all of these issues, providing you with the practical advice you need to tailor your cookies policy to your website’s specific requirements as well as to the latest software and third party cookies commonly used by websites today (such as Google Analytics, Facebook Pixel, and more).

Many e-commerce websites have a single set of terms and conditions relating to orders or purchases placed on their website, usually referred to as the ‘terms of sale’. These are unlikely to include many of the general terms of use designed to protect the website owner from unauthorised use of the website and to limit their liability to their users and other third parties. Moreover, these terms of sale are normally only visible at the point of purchase, some time after the user has had access to the site, or they are not brought to the user’s attention at all, reducing the likelihood that they will be legally enforceable. This means that the entirety of the user’s use of the site up until that point will not be governed by those terms, and to that extent, they will be ineffective. A separate notice, setting out the full terms and conditions upon which the site is made available to users, known as a website’s ‘terms of use’, should be accessible from the moment the user first accesses the website and available via a link on every page.

A full description of how terms of use should be used, including how they should be used alongside terms of sale for e-commerce sites, as well as practical advice as to where tick-box consent is needed before a user is bound by terms of use, is contained our guidance notes accompanying our comprehensive terms of use template.