The UK GDPR (referred to as the ‘GDPR’), implemented in the UK by the Data Protection Act 2018 (DPA), provides a legal framework protecting personal data within the UK.
General Data Protection Regulation (GDPR) FAQs
Businesses and other organisations handling personal data in the UK need to ensure that they comply with data protection laws, especially the GDPR. Read this guide for answers to some frequently asked questions about the GDPR.
- Make your Privacy policy
- Get started
- Answer a few questions. We'll take care of the rest
What is the GDPR?
Does the GDPR apply to me?
The GDPR and the DPA apply to businesses that store or handle personal data. This means that you will be subject to the GDPR if you are a business or other organisation:
-
established and conducted business operations
-
monitoring behaviour of persons within the UK
The GDPR has an ‘extraterritorial reach’, meaning that many organisations based outside the UK (in the case of the UK GDPR) must comply with GDPR when processing personal data. Similarly, UK organisations may have to comply with the EU GDPR (the GDPR that applies across the European Union) if they process personal data belonging to individuals based in the EU.
What kind of information does the GDPR apply to?
The GDPR applies to personal data, meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. Examples of personal data include names, dates of birth, contact details and credit card details.
There is a further category of special category personal data which is awarded greater protection. This type of personal data includes information about someone’s mental or physical health and information about religious beliefs.
For more information, read Data protection.
What kind of behaviour does the GDPR apply to?
The GDPR applies whenever you are processing personal data. You are processing personal whenever you use personal data (other than for personal reasons). Examples of processing include gathering, recording and storing. For more information, read Processing personal data.
I am launching a website, what documents would I need if I collect user data?
The documents you need for your website will depend on the specifics of your situation, including the extent of data you collect from users. However, as a starting point, your website will generally require a Privacy policy and a Cookie policy.
What is a cookie policy and do I need one?
Cookies are text files with small pieces of data that are used to identify your computer, assist the operation of the website, and provide information to the owners of a website.
A cookie policy sets out what type of cookies a website uses, why these cookies are used and what they do. If you use cookies to uniquely identify a device or the person using that device, these are considered personal data under the GDPR. As a result, it is recommended that you have a cookie policy in place to stay GDPR-compliant.
For more information on the different types of cookies, read Different types of internet cookies.
What is a privacy policy and do I need one?
A website privacy policy sets out:
-
why your website is collecting data
-
what type of information your website collects and
-
the scope and limitation of data processing on your website
Essentially, your privacy policy outlines your business’ practices in relation to the collection, storage and use of personal data gathered on your website.
To comply with the GDPR, you need a privacy policy if you collect and process your users’ personal data.
How do I comply with the GDPR for website visitors from the EU?
The UK GDPR and EU GDPR are almost identical. Both GDPRs:
-
require you to safely store and document consent given by users to any data processing
-
require your website to enable users to change their consent just as easily as they gave it
-
gives certain rights to users, chief among them being the right to delete a user’s personal data
However, this means that there are two different GDPRs that you have to deal with - one that applies if you have visitors from inside the EU, the other if you have visitors from inside the UK.
You should Ask a lawyer if you have any questions or concerns about processing the personal data of EU users.
For how long should I store user personal data?
The simple answer is that you should store data for as long as you need it.
Neither the UK GDPR nor the EU GDPR specifies any retention periods for personal data. This way, you can keep data as long as you can justify its usage, which most often relates to the reason you collect it in the first place (to determine your target market, for example).
You should securely destroy or anonymise personal data when you no longer need it.
Does my business need a data protection officer (DPO)?
A DPO is a nominated person within a business who is responsible for ensuring data protection compliance. A DPO will generally be required if a business:
-
is a public authority (with the exception of courts acting in their judicial capacity)
-
carries out large scale systematic monitoring of individuals (eg online behaviour tracking)
-
carries out large scale processing of special categories of data or data relating to criminal convictions and offences
A business that does not require a DPO can appoint one they wish to do so. However, if a DPO is not appointed because it isn’t necessary, the business needs to ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.
For more information, read Data protection.
Can I transfer data outside of the UK?
Transferring personal data to recipients outside of the UK (known as ‘third countries’) is prohibited unless certain safeguards exist. Examples of such safeguards include:
-
‘adequate' third countries - data can be transferred internationally without the need for any further safeguards if the UK has decided that the country the recipient is located in has an adequate level of data protection (eg all European Economic Area countries are currently considered adequate)
-
the adoption of standard contractual clauses - data can be transferred internationally on the basis of standard data protection clauses approved by the UK
For more information, read International transfers of personal data.
- Make your Privacy policy
- Get started
- Answer a few questions. We'll take care of the rest