GDPR Compliant Website Privacy Policy – 2 Simple Reasons Why You Literally Can’t Afford Not To Have One!

Many businesses have started to prepare for the entry of the General Data Protection Regulation (GDPR) into force on 25 May 2018. Many have spent a large amount of money on technology and GDPR audits to ensure compliance, but (interestingly) have so far failed to take the critical and relatively easy step of updating their privacy policy to comply with the GDPR.

Surely the privacy policy is a relatively unimportant change compared to ensuring privacy by design and that privacy impact assessments are carried out where necessary? The answer, surprisingly, is no. Here’s why:

1. Fines of up to €20,000,000 or 4% of turnover, whichever is higher. Failing to have a GDPR-compliant privacy policy in place is an instant and automatic breach of the GDPR, and can attract the maximum fines of up to €20,000,000 or 4% of turnover. This is the case for several reasons but principally because Article 83(5) of the GDPR states that the fines can be imposed for infringements of “the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9” and “data subjects’ rights pursuant to Articles 12 to 22”.

Article 5, for example, requires that personal data be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. Failure to set out the new subject rights in your privacy policy, for instance, will mean that you have broken the law and are therefore processing data unlawfully. Moreover, failing to disclose all of the information required by the GDPR in your privacy policy will mean that you are processing personal unfairly and non-transparently as you have not informed individuals what you will do with their personal data, breaching the same requirement.

If that were not enough, any infringement of Articles 12 to 22 (the articles most relevant to website privacy policies) is specifically addressed as a compliance failure that can also attract the highest fines. The most relevant articles in question are 13 and 14 as they govern the information required in a privacy policy. Failure to provide all of the information in this section exactly as required will constitute an infringement of data subjects’ rights. This is particularly easy to fall foul off because of the highly prescriptive nature of the obligations Articles 13 and 14 and because of the general obligations in Article 12 to provide such information “in a concise, transparent intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”. Anyone not familiar with the legislation will have great difficulty amending their privacy policy to meet these new, extremely onerous requirements. Being concise, while setting out all of the information required, for example, would be a challenge for even the most talented lawyer or writer.

Let’s take a specific example of just how easy it is to breach one of these provisions. Article 14(2)(a), for example, requires that a data controller disclose “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine the period”. We have seen disastrous examples online of policies claiming to be GDPR complaint stating that personal information will be held for 6 years in accordance with UK tax law. Unless all the data you possess is being processed for specific tax record keeping purposes which has a 6 year time limit (almost impossible), this is simply untrue and will therefore be immediately unlawful and unfair (e.g. data you have collected for marketing purposes or enquiries received from customers) and will breach Article 14(2)(a), exposing you to the risk of fines. Unless you can be absolutely positive that you will retain someone’s information for a specific period of time, it is far wiser, for example, to set out the criteria on which you use to determine the period you will retain personal information for, such as whether you need to keep it as a result of a legal obligation or for as long as you have the consent of the data subject (for instance).

2. Your privacy policy is public. Your website is public for anyone to view. Let’s just think about what that means – your customers, many of whom are likely to be data subjects themselves and are therefore able to exercise their new and enhanced data subject rights under the GDPR, such as data portability. What happens if a customer visits your website to check how to submit a data portability request and you privacy policy makes no reference to it whatsoever? The data subject, who will by the nature of their enquiry be concerned with their personal data, will instantly know that you are non-compliant with the GDPR and, because it’s in writing and therefore immediately provable, there will be nothing you can do about it. Updating it later will be of no use, your website records will show the privacy policy you had place at the time. Moreover, the data subject can immediately go to the Information Commissioner’s Office (ICO), the UK regulator responsible for enforcing the GDPR, and lodge a complaint. Because the ICO is obliged to respond to complaints, it will therefore be compelled to investigate, and there will be no debate to be had or defence to be relied upon – the right to data portability was simply not included in your privacy policy and you have therefore breached one of the fundamental principles of the GDPR. It’s then over to the ICO to decide what to do and how much to fine you for not taking data subjects’ rights seriously.

Worse, let’s consider one of your competitors. A competitor can, just as a customer can, take one look at your privacy policy and instantly see if you are compliant with the new legislation. If not, they are entitled to complain to the ICO just like anyone else, the only difference being that they have a far greater commercial incentive to do so and can do so anonymously. The same situation has occurred with competition law in the UK, where competitors will report anti-competitive behaviour to the Competition and Markets Authority, so there is no reason not to think that savvy and unscrupulous competitors will take the same approach with data protection law – what easier way to put a competitor out of business or cause them hardship than to report them to the ICO and let an investigation and potentially very significant fine ensue? Businesses are already terrified about the consequences of a solicitor submitting bulk subject access requests, now that the right of businesses to charge a £10 fee to deal with such a request will be removed. Whether there will be bulk submission of subject access requests on a large scale or not will have to be seen, but what is clear is that the incentives to report non-compliance to the regulator are higher than ever.

Lastly, what happens if the ICO comes across your non-complaint website itself? What will they think about your approach to GDPR and whether you are complying with its other, more onerous obligations? You get the idea.

So, as you can see, with a bit of reflection and analysis it becomes clear why it’s so important to get a GDPR-compliant privacy policy in place. Indeed, it is probably one of the single most important GDPR obligations you need to comply with. The good news is that we have the market leading affordable solution available which is guaranteed to be GDPR-compliant and has been reviewed and approved by an independent UK solicitor, UK barrister, and by a US attorney for US law compliance: Our Website Documentation Package

Our Website Documentation Packages contains a GDPR-compliant privacy policy, cookies policy and terms of use for your website as well as comprehensive guidance notes on how to prepare your website for the GDPR. As a thank you for reading this blog, and being concerned with data protection, you can enter the following discount code at checkout which will give you 10% off the RRP of £150 +VAT: gdprcompliantprivacypolicy

If you have any questions, feel free to email us at enquiries@gdprprivacypolicy.org