General Data Protection Regulation (GDPR) FAQs

The UK GDPR (referred to as the ‘GDPR’), implemented in the UK by the Data Protection Act 2018 (DPA), provides a legal framework protecting personal data within the UK.

The GDPR and the DPA apply to businesses that store or handle personal data. This means that you will be subject to the GDPR if you are a business or other organisation:

• established and conducted business operations

• monitoring behaviour of persons within the UK

The GDPR has an ‘extraterritorial reach’, meaning that many organisations based outside the UK (in the case of the UK GDPR) must comply with GDPR when processing personal data. Similarly, UK organisations may have to comply with the EU GDPR (the GDPR that applies across the European Union) if they process personal data belonging to individuals based in the EU.

The GDPR applies to personal data, meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. Examples of personal data include names, dates of birth, contact details and credit card details. 

There is a further category of special category personal data which is awarded greater protection. This type of personal data includes information about someone’s mental or physical health and information about religious beliefs. 

For more information, read Data protection.

The GDPR applies whenever you are processing personal data. You are processing personal data whenever you use it (other than for personal reasons). Examples of processing include gathering, recording and storing. For more information, read Processing personal data.

The documents you need for your website will depend on the specifics of your situation, including the extent of data you collect from users. However, as a starting point, your website will generally require a Privacy policy and a Cookie policy.

Cookies are text files with small pieces of data that are used to identify your computer, assist the operation of the website, and provide information to the owners of a website. 

A cookie policy sets out what type of cookies a website uses, why these cookies are used and what they do. If you use cookies to uniquely identify a device or the person using that device, these are considered personal data under the GDPR. As a result, it is recommended that you have a cookie policy in place to stay GDPR-compliant.

For more information on the different types of cookies, read Different types of internet cookies.

A website privacy policy sets out: 

• why your website is collecting data

• what type of information your website collects and 

• the scope and limitation of data processing on your website

Essentially, your privacy policy outlines your business’ practices in relation to the collection, storage and use of personal data gathered on your website. 

To comply with the GDPR, you need a privacy policy if you collect and process your users’ personal data.

The UK GDPR and EU GDPR are almost identical. Both GDPRs: 

• require you to safely store and document consent given by users to any data processing

• require your website to enable users to change their consent just as easily as they gave it

• gives certain rights to users, chief among them being the right to delete a user’s personal data

However, this means that there are two different GDPRs that you have to deal with - one that applies if you have visitors from inside the EU, the other if you have visitors from inside the UK.

You should Ask a lawyer if you have any questions or concerns about processing the personal data of EU users.

The simple answer is that you should store data for as long as you need it. 

Neither the UK GDPR nor the EU GDPR specifies any retention periods for personal data. This way, you can keep data as long as you can justify its usage, which most often relates to the reason you collect it in the first place (to determine your target market, for example). 

You should securely destroy or anonymise personal data when you no longer need it.

A DPO is a data protection expert who is appointed to assist with an organisation’s data protection compliance. They usually do this by, for example, monitoring data processing activities and providing data protection advice and training.   

Not all organisations need to have a DPO. However, even if you don’t have to have a DPO you can appoint one voluntarily to help you comply with the GDPR. For more information, read Data protection officers (DPOs).

Transferring personal data to recipients outside of the UK (known as ‘third countries’) is prohibited unless certain safeguards exist. Examples of such safeguards include:

• ‘adequate' third countries - data can be transferred internationally without the need for any further safeguards if the UK has decided that the country the recipient is located in has an adequate level of data protection (eg all European Economic Area countries are currently considered adequate)

• the adoption of standard contractual clauses - data can be transferred internationally on the basis of standard data protection clauses approved by the UK

For more information, read International transfers of personal data.