FAQ about GDPR

What is the GDPR?

The GDPR is the General Data Protection Regulation (Regulation (EU) 2016/679), an EU Regulation which will govern processing of personal data across all European Union member states, and by foreign individuals and entities to the extent that they process the personal data of individuals in the European Union.

When is the GDPR coming into force?

25 May 2018.

Which businesses will be affected by the GDPR?

Virtually all businesses will be affected by the GDPR because almost every business collects, stores or otherwise processes personal data for one reason or another. Personal data means any information relating to an identified or identifiable natural person. Under the GDPR, the definition of personal data will be expanded to specifically include online identifiers and IP addresses, amongst other expansions of the definition. Most businesses collect and process some amount of personal data (often without even realising it) via their websites and in the ordinary course of business. The GDPR applies to all such businesses, and businesses should therefore ensure that they are up to speed with their changing obligations and new requirements before the GDPR coming into force, particularly because of the risk of enormous fines for non-compliance.

How does the GDPR affect my business?

Your business will have a range of new compliance obligations to adhere to (failure to do so will risk exposing you to serious fines (see ‘How much are the new fines’ below). These include:

  • ensuring that, where required, GDPR-compliant consents are obtained for data subjects whose data are processed;
  • providing up-to-date and accurate information in privacy policy notices, including about the personal data you process, why you process it, the legal grounds you rely on for such processing and new and enhanced subject access rights;
  • ensuring that all processing activities undertaken by your business are fair and compliant with the new data protection regime;
  • ensuring that all documentation relating to personal data is clearly accessible on your public website and is complete and transparent;
  • keeping a register of data processing activities;
  • implementing ‘privacy by design and by default’ into your processing systems; and
  • ensuring that your business is capable of effectively responding to any requests by data subjects to exercise their new rights of data portability and data erasure.

Our website documentation, guidance notes and Legal Update Platform, which is available on a subscription basis and includes a free six month trial when you purchase our website documentation, all provide extensive practical advice to enable you to prepare for the GDPR and to avoid the potentially crippling fines for non-compliance.

What is changing?

There are a broad range of changes being introduced by the GDPR. Some of the key changes include:

  • Increased territorial scope. The GDPR will apply to overseas businesses that process personal data relating to individuals in the EU.
  • Penalties. The maximum penalties for breaches of data protection law are being increased substantially, from £500,000 up to the higher of €20,000,000 or 4% of annual worldwide turnover.
  • Obligations for data processors. Data processors will be held accountable for breaches in the same way as data controllers.
  • Removal of registration requirement with a Data Protection Authority. The requirement to register with a Data Protection Authority (which, for the UK, is the Information Commissioner’s Office (ICO)) will be removed.
  • New data subject rights. Data subjects will enjoy new rights in addition to the rights they currently enjoy under the existing data protection regime. These include changes to their subject access rights and new rights such as data portability and data erasure rights.
  • Increased burden to demonstrate compliance. All businesses will not only need to comply with the new requirements of the GDPR, but will also need to demonstrate their compliance. This means having in place up-to-date documentation, systems and procedures and visibly compliant website documentation.
  • Consent. The existing requirements for obtaining valid consent for the processing of personal data are being strengthened, and consents obtained for data processing under the existing regime may not be valid under the new regime.
  • Breach notifications. There is a new 72 hour time limit for notifying a Data Protection Authority about certain data breaches.
  • Transparency. All documentation relating to the data processing activities undertaken by any business must be complete, easy to understand, easily accessible to data subjects, and must set out their rights and specific information relating to the business.

New concepts. The GDPR will introduce a range of new concepts to data protection law, such as privacy by design and by default, pseudonymisation and accountability. Our guidance notes available via our Legal Update Platform provide a full description of these concepts and what they mean for businesses.

How much are the new fines?

The new maximum fines for data protection law breaches are increasing from £500,000 to €20,000,000 or 4% of annual worldwide turnover (not profit) depending on the nature of the breach. Breaches that might attract these higher fines could include failing to obtain the correct consent from data subjects for the processing of their personal data or failing to ensure data is protected and secured by appropriate measures and technology. Our guidance notes provide concise practical advice for how to ensure you do not exposure yourself to the risk of such fines.

Will Brexit affect the GDPR?

No. Brexit will not affect the implementation of the GDPR in the UK because the GDPR comes into force on 25 May 2018, prior to the date when the UK will have left the European Union.

Once the UK has left the European Union, the UK Government will theoretically be free to amend and repeal the GDPR. However, this very unlikely to occur as the UK has generally been supportive of European Union data protection legislation and repealing or watering down the provisions of the GDPR could have adverse consequences for businesses wishing to continue to trade with the European Union following Brexit. Moreover, the UK Parliament is already preparing to implement the GDPR through national legislation in the form of a new Data Protection Act, so the GDPR looks set to remain part of UK law, whether directly or indirectly, for the foreseeable future.

My website developers do all my IT work, can’t I leave this to them?

No. Your business is responsible for its own data processing activities, even where third parties are involved. Website developers will only have limited control (if any) over the data processing carried out by your business, and so they are unlikely to be able to resolve your practices to conform to the new regime. Responsibility for data protection compliance cannot be assigned to a web developer or other third party; your business alone is responsible for ensuring that your practices, procedures and documentation are in order.

Why should I buy these documents from GDPR Privacy Policy?

We provide the most comprehensive and best value GDPR-compliant document package available. Here are just a few of the key benefits:

Most compliant. All of our documentation has been specifically drafted to comply with the GDPR and to provide you with as much legal protection for your business as possible. We have even gone the extra mile and had our documents reviewed by a US attorney to ensure their compliance with relevant extra-territorial non-EU legislation, such as the The California Online Privacy Protection Act (CalOPPA), as well as the Children’s Online Privacy Protection Act (COPPA). Our products far exceed the quality of other templates available online, many of which have not been reviewed or approved by a solicitor, attorney or lawyer and which fail to comply with relevant legislation, putting your business at risk of enormous fines and penalties.

Most flexibility. Our documents and guidance notes describe the full range of options available to you to achieve compliance with relevant UK and EU legislation, while focusing on the most straightforward, convenient and low-cost options, saving you both time and money.

Best guidance available. No competitor offers anywhere near as much useful guidance for tailoring the documentation to your website and business. This can save you huge sums of money in legal fees, which quickly and easily run into the thousands of pounds.

Best value. No competitor offers you the level of comprehensive documentary protection, advice and resources for the price of our website documentation. The only real alternative for getting high quality documentation for your website is to find a reputable data protection specialist or lawyer, which often costs thousands of pounds, so purchasing our website documentation is your easiest and most cost-effective solution by far, saving you an estimated 90-95% off the cost of a solicitor or lawyer.

Independently verified. Our template documents have been reviewed for suitability and GDPR compliance by not only ourselves but also by an independent UK solicitor, UK barrister. We have also had our documents reviewed for compliance with relevant US legislation by a US attorney. No other document provider can claim this level of investment in their document templates.

ICO and Article 29 Working Party Guidance considered. Our documents have been prepared using the latest

ICO and Article 29 Working Party guidance available. Our documentation is therefore not just compliant but effectively ‘gold-plated’, allowing you to go further than your competitors and adopt best practice, offering your business even greater protection and improving customer trust and confidence. Moreover, when it comes to enforcement, the ICO has stated that it will consider whether a business has followed best practice when considering whether a business has breached data protection law.

How can I be sure that the documents comply with the GDPR?

Unlike other companies purporting to offer similar documents, we haven’t just taken old documentation and made minor adjustments. Our documents and guidance notes were drafted from scratch for the specific purpose of complying with the GDPR. We have done this because we believe it is the only way to provide the highest possible level of compliance with the GDPR and to visibly demonstrate your compliance with the new regime. Moreover, all of our documentation has been carefully considered each of the relevant provisions of the original legislation as well as official guidance from the ICO and the Article 29 Working Party.

If that were not enough, we have also had our documents reviewed and approved by a UK solicitor and UK barrister and by a US attorney for compliance with US legislation. You can therefore rest assured that with our website documentation, you will be using the latest, most up to date and state of the art documentation for your website.

Can I modify the documents myself?

Yes, the documents we provide are templates and you must tailor them to ensure that they are relevant to your particular website and business. While we have prepared the documents for use by the vast majority of websites and businesses, they will invariably need to be tailored to the specific features and functionality of your website and for what your business does with personal data. The cookies policy, for example, will require you to delete references to any types of cookies that you do not intend to use. All such adjustment options are made clearly visible in the documents themselves, and explained in full in the guidance notes accompanying them, so you should be able to do this yourself.

If you require modifications outside of the scope of the original documents and guidance notes, these are also possible, but we will not be able to guarantee that any such modifications that you make yourself will be compliant or fit for purpose. In this situation we would always recommend seeking appropriate advice. We offer a bespoke document tailoring service, so please feel free to contact us at info@gdprprivacypolicy.org and we can provide you with a quote.

How will I get access to the documents?

When you purchase your document package, the latest versions of all documents and guidance notes will be immediately downloadable or sent within 24 hours to the email address that you provided at checkout. If you have not received the documents within that time period, please email us at sales@gdprprivacypolicy.org.

If you have purchased a subscription or taken out a free 6 month trial to our Legal Update Platform, you will be provided with unique login information to the customer area of our website. Once you have logged in, you will have access to the latest versions of all the documents, all guidance notes, and all the additional content available exclusively to subscribers, such as legal updates, summary guidance notes on new information provided by the data processing authority, and template responses to data subject requests.

Why do I need documentation on my website?

The laws of most countries, including the UK, require you to provide a variety of information on your website. For example, the Electronic Commerce Regulations 2002 (SI 2002/2013) require businesses to provide specific information about their identity and other business information. The Data Protection Act 1998, soon to be replaced by the General Data Protection Regulation (GDPR), requires that businesses include privacy notices on their website setting out what a website owner does with personal data they collect from users and how they treat it. Similarly, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) require that website owners notify users about the use of cookies and that they obtain appropriate consent from those users before placing them on their users’ browser or computer.

These laws (as well as numerous other pieces of legislation) mean that website owners need to provide a great deal of information on their websites, usually in the form of a set of terms of use, privacy policy and cookies policy, and links to them on every page of the website.

I already have a privacy policy, why do I need a new one?

The General Data Protection Regulation (GDPR) will introduce a broad range of new and specific requirements for privacy policies and these differ substantially from requirements under current law. Many of the new requirements, such as the right to data portability, will not feature in privacy policies which were drafted for the current Data Protection Act 1998. Furthermore, a large amount of regulatory guidance from the Information Commissioner’s Office (ICO) and other legislation governing what should be included in privacy policies has changed over time. Due to the extensive changes which will need to be made to your privacy policy, it is far more efficient and effective to prepare your website for GDPR with a privacy policy specifically designed to comply with it rather than than to try to update an existing privacy policy which was never designed with GDPR compliance in mind. This is all the more the case because of the risk of serious fines for failing to update your privacy policy properly, so you need to be confident that your privacy policy is compliant.

What is the purpose of terms of use?

Website terms of use are an important document with several functions:

  • they contain mandatory information which website owners are required by law to provide to their website users;
  • they set out the basis on which users are permitted to access, use and interact with the website and prohibit undesirable or unlawful conduct and any harmful practices;
  • they exclude the website owner’s liability to users and third parties as far as legally possibly, including liability for inaccuracies, user-generated content and content on any linked sites;
  • they describe the availability of the website and exclude representations of suitability for purpose and viewing on different platforms;
  • they detail any requirements for registering on the site (such as age restrictions); and
  • they incorporate other important policies and documents by reference, such as the privacy policy, cookies policy and (where applicable) terms of sale.

I don’t think my website uses cookies, why do I need a cookies policy?

The vast majority of websites, even those with limited or no interactive functions, place cookies on users’ browsers or computers every time they visit the website. There are numerous different types of cookies, all with different functions, and not all of which are fully in the control of the website owner. With very limited exceptions, website owners are required to notify users of the types of cookies and purposes for which they are used and to collect an appropriate form of consent for their use. Cookies policies, together with pop-up notifications, are a necessary and effective method of obtaining the appropriate consent for the use of cookies on your website.

If you are unsure whether you use cookies on your website, you should check using appropriate tools or contact your website developer. If you use Google Analytics, Google Adwords, Facebook Pixel or any other tracking technology on your website, you are required by law and by those third parties’ terms and conditions to have a cookies policy setting out how you use those technologies. If you embed videos, chat functions, comments sections, contact forms or any other third party functionality on your website, it is highly likely that you will need a cookies policy.

Our cookies policy and accompanying guidance note is one of the best available and can help you with all of these issues, providing you with the practical advice you need to tailor your cookies policy to your website’s specific requirements as well as to the latest software and third party cookies commonly used by websites today (such as Google Analytics, Facebook Pixel, and more).

I already have terms and conditions for purchases made on my website; Why would I need another set of terms and conditions?

Many e-commerce websites have a single set of terms and conditions relating to orders or purchases placed on their website, usually referred to as the ‘terms of sale’. These are unlikely to include many of the general terms of use designed to protect the website owner from unauthorised use of the website and to limit their liability to their users and other third parties. Moreover, these terms of sale are normally only visible at the point of purchase, some time after the user has had access to the site, or they are not brought to the user’s attention at all, reducing the likelihood that they will be legally enforceable. This means that the entirety of the user’s use of the site up until that point will not be governed by those terms, and to that extent, they will be ineffective. A separate notice, setting out the full terms and conditions upon which the site is made available to users, known as a website’s ‘terms of use’, should be accessible from the moment the user first accesses the website and available via a link on every page.

A full description of how terms of use should be used, including how they should be used alongside terms of sale for e-commerce sites, as well as practical advice as to where tick-box consent is needed before a user is bound by terms of use, is contained our guidance notes accompanying our comprehensive terms of use template.

Why do I need legal updates?

Even the best and most carefully drafted documents need to be updated to reflect changes in law.
The law is constantly changing and although major changes in law like the GDPR do not come round often, the interpretation of laws changes over time as new decisions are made by judges in court cases, exemptions in national and secondary legislation are applied, and new guidance from regulators like the Information Commissioner’s Office (ICO) or interpretative bodies like the Article 29 Working Party are issued. Therefore, while all of our documentation has been drafted for compatibility with the GDPR and all other applicable legislation at the time of purchase, our documents will invariably be required to be updated for new laws affecting websites (e.g. the new e-Privacy Regulation), the new Data Protection Act being prepared by Parliament, changes in law as a result of Brexit and continually changing interpretations of the law. We provide periodic updates of our guidance notes to describe the latest official practices and upload regular content to assist businesses with new methods of ensuring that their data processing activities are fully compliant with applicable legislation.

It is essential for all businesses dealing with personal data to remain up to date and to ensure that their documentation and practices accord with the latest interpretations of the legislation and changes in law so they can ensure compliance and avoid potentially catastrophic and crippling fines. At only £25 +VAT per year, our Legal Update Platform is the most cost-effective way to achieve ongoing legal compliance for your website and costs a fraction of what it would cost to pay a solicitor or other professional to provide you with a similar service.

What will I get from my legal update platform subscription?

Our Legal Update Platform subscription includes:

  • access to the latest versions of our Terms of Use (including User Content Agreement), our Privacy Policy and Cookies Policy;
  • access to the latest versions of all guidance notes to help you adapt of all our website documentation for your website. These contain up-to-date and user-friendly tips and advice to help you ensure that your documents and practices comply with relevant data protection rules;
  • template response letters to help you respond to subject access requests, saving you precious time and money when handling such a request;
  • guidance notes for handling subject access requests, ensuring you know what you have to provide and when you have to provide it by;
  • practice notes on key GDPR issues such as consents, cookies, reporting breaches and pseudonymisation (amongst others);
  • legal updates following developments in case law, ICO guidance and secondary legislation, outlining their impact clearly and simply and setting out any practical steps you need to take as a consequence; and
  • regulatory guidance summaries, concisely outlining the key points from ICO guidance, so you can take relevant actions quickly and effectively and avoid the need to read through lengthy guidance notes.

How much does the legal update platform subscription cost?

Subscriptions are incredibly affordable and cost-effective at just £30 + VAT a year! In addition, customers who purchase our document packages will also be given the opportunity to enjoy a 6-month free, no obligation trial period for all subscription content.

How often will legal updates be provided?

The rate at which legal updates are provided varies based on a range of factors, but primarily based on the rate at which the law changes or relevant guidance from the ICO or Article 29 Working Party is issued.

We will update our document templates following any relevant changes in law and update our guidance notes regularly, at least every time new guidance materials are published by the ICO or other authorities, or whenever new case-law affects a relevant practice. We will add summaries of new regulatory materials whenever they are published, and will generally add new additional content as often as possible to answer questions we frequently receive and to provide helpful advice in relation to key topics in data protection such as marketing, cyber-security and consent.

Will I be notified when updates are available?

Yes. All subscribers to our Legal Update Platform will receive email notifications every time we update or upload new documents, so you will be aware of any changes as soon as we make them.

If you are not receiving email notifications at all, or as often as you are expecting, please check your spam folders for emails from GDPR Privacy Policy and add our address to your white-list of genuine senders. This should prevent you from missing out on key updates in the future.

We are also working on a new system that will allow subscribers to select their own preferences for when they wish to receive notifications. If you only want to hear about new versions of the template documents and not the guidance, that’s fine!

How can I show that my documents are up to date?

The easiest way to check whether a website is compliant with the GDPR is to look at their website documentation (i.e. the terms of use, privacy policy and cookies policy links, usually contained in links at the bottom of a website).
Use of our website documentation is a significant and meaningful way in which you can demonstrate compliance to your customers, competitors, and data protection authorities as well as showing them that you are aware of the new legislation and have taken steps to comply.

In addition, all subscribers to our Legal Update Platform will be able to use our ‘GDPR Privacy Policy’ logo on their website to indicate that they have updated used our website documentation and therefore taken steps to comply with the GDPR. While use of the logo cannot certify that you are compliant with the GDPR more generally and we are not a certification body, it demonstrates to third parties that you have adopted our GDPR compliant templates as the basis for your website documentation, that you take data protection seriously and it can improve the trust and confidence your website users place in you, particularly at a time when individuals are becoming increasingly concerned about how corporations and businesses treat their personal data.

What does it mean when I display the logo?

Displaying the ‘GDPR Privacy Policy’ logo on your website means:

  • that you have adopted GDPR compliant website documentation and care about your ongoing legal compliance obligations;
  • that your business has received essential advice from a specialist data protection advisory and consultancy service as to how to align its online activities, websites and data processing procedures with compliant practices and that you are concerned with your continuing compliance obligations;
  • that your business takes data protection seriously, and takes care to safeguard the privacy rights and best interests of its customers and clients;
  • that your website documentation is innovative, modern and up-to-date; and
  • that your business will be made aware of future changes in law, and will be provided with the means to react to any changes to stay ahead of the curve and your competitors with data protection compliance.

Where can I use the logo?

Subscribers to our Legal Update Platform may use our logo by displaying it on their public website (in a footer, for example) and on the pages containing any documentation purchased from us, such as the Terms and Conditions, Privacy Policy and Cookies Policy.

Since the GDPR Privacy Policy logo is a statement that you have adopted up to date legal templates as the basis of your website documentation, customers will only be able to use the logo so long as they continue to subscribe to our Legal Update Platform. If a customer unsubscribes from our Legal Update Platform, they will have to remove logo from their website, but they can continue to use the versions of the documentation they previously purchased from us indefinitely.

© 2018 Herbert & Ball LLP. All rights Reserved
“GDPR Privacy Policy” is a trading name of Herbert & Ball LLP, a limited liability partnership registered in England and Wales (registration number: OC417678).
Registered office: International House, 142 Cromwell Road, Kensington, London, SW7 4EF. VAT registration number: GB270901516.