Profile information Account settings
Sign up Sign in

Make your Data protection policy

Answer a few questions. We'll take care of the rest

Data protection considerations

The Data Protection Act 2018 (DPA) is designed to regulate the use of personal data by businesses and other organisations. The DPA is the main legislation implementing the UK General Data Protection Regulations (GDPR).

Anyone processing personal data must ensure that it is:

  • used fairly, lawfully and in a transparent manner

  • collected for specified, explicit and legitimate purposes

  • adequate, relevant and its collection is limited to what is necessary

  • accurate and kept up to date

  • kept in a form that enables identification of data subjects for no longer than is necessary

  • handled according to the data protection rights of individuals, and

  • not transferred outside the UK without adequate protection. Data transfers to the EEA and certain other states are covered by adequacy decisions, meaning that additional paperwork is usually not required 

Organisations that determine the purpose for which personal data is processed (ie data controllers) must pay the Information Commissioner's Office (ICO) a data protection fee unless they are exempt. 

For more information, read Data protection, Data protection principles and Data protection for businesses.

Privacy and cookies

Cookies are files stored on a computer’s browser by websites that can be used for various purposes, often related to marketing or advertising.


If you use cookies to uniquely identify a device or the person using that device, these are considered personal data under the GDPR. This means that cookies used for analytics, advertising and functional services come within the ambit of the GDPR. To be compliant, you'll need to stop collecting cookies that uniquely identify individuals or find a lawful ground to collect and process the data, for example, consent.

Such consent must be:

  • given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a website doesn’t count as consent.

  • given freely and genuinely

It must be as easy to withdraw consent as it is to give it. This means that if you want to tell people to block cookies if they don’t give their consent, you must make them accept cookies first. You must also give people the option to change their minds (ie by providing an opt-out option).

Privacy and Electronic Communications Regulations

The Privacy and Electronic Communications Regulations (PECR) set out certain online marketing obligations and govern the use of cookies (also known as the Cookie Law).

Under the PECR, websites cannot use 'non-essential' cookies unless the consent of the user is expressly given - ie users must opt-in before such cookies can be used.

Non-essential cookies are those which are used for analytical purposes or to assist with advertising. Even cookies that customise a website (such as providing a greeting message) are deemed to be non-essential.

Essential cookies are generally those which enable an online checkout process to work properly, or which are required for technical or security purposes. Using essential cookies does not require a user’s consent, but it is good practice to ensure that information about these cookies is available.

Failure to comply with the Cookie Law can lead to fines of up to £500,000. There are also smaller penalties, such as being sent an information notice or an enforcement notice.

A Website privacy policy with an integrated cookie policy or a separate Cookie policy helps to reassure visitors that their personal data is protected and can assist in compliance with the GDPR and the Cookie Law.

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer On Call Solicitors

Try Rocket Lawyer FREE for 7 days

Start your Premium Membership now and get legal services you can trust at prices you can afford. You’ll get:

All the legal documents you need—customise, share, print & more

Unlimited electronic signatures with RocketSign®

Ask a lawyer questions* and get a response within one business day

Access to legal guides on 100s of topics

A 30-minute consultation with a lawyer about any new issue

33% off hourly rates or a fixed price if you need further legal help

*Subject to terms and conditions