General Data Protection Regulation (GDPR) FAQs

The UK GDPR (referred to as the ‘GDPR’), implemented in the UK by the Data Protection Act 2018 (DPA), provides a legal framework protecting personal data within the UK.

The GDPR and the DPA apply to businesses that store or handle personal data. This means that you will be subject to the GDPR if you are a business or other organisation:

• established and conducted business operations

• monitoring behaviour of persons within the UK

The GDPR has an ‘extraterritorial reach’, meaning that many organisations based outside the UK (in the case of the UK GDPR) must comply with GDPR when processing personal data. Similarly, UK organisations may have to comply with the EU GDPR (the GDPR that applies across the European Union) if they process personal data belonging to individuals based in the EU.

The GDPR applies to personal data, meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. Examples of personal data include names, dates of birth, contact details and credit card details. 

There is a further category of special category personal data which is awarded greater protection. This type of personal data includes information about someone’s mental or physical health and information about religious beliefs. 

For more information, read Data protection.

The GDPR applies whenever you are processing personal data. You are processing personal whenever you use personal data (other than for personal reasons). Examples of processing include gathering, recording and storing. For more information, read Processing personal data.

The documents you need for your website will depend on the specifics of your situation, including the extent of data you collect from users. However, as a starting point, your website will generally require a Privacy policy and a Cookie policy.

Cookies are text files with small pieces of data that are used to identify your computer, assist the operation of the website, and provide information to the owners of a website. 

A cookie policy sets out what type of cookies a website uses, why these cookies are used and what they do. If you use cookies to uniquely identify a device or the person using that device, these are considered personal data under the GDPR. As a result, it is recommended that you have a cookie policy in place to stay GDPR-compliant.

For more information on the different types of cookies, read Different types of internet cookies.

A website privacy policy sets out: 

• why your website is collecting data

• what type of information your website collects and 

• the scope and limitation of data processing on your website

Essentially, your privacy policy outlines your business’ practices in relation to the collection, storage and use of personal data gathered on your website. 

To comply with the GDPR, you need a privacy policy if you collect and process your users’ personal data.

The UK GDPR and EU GDPR are almost identical. Both GDPRs: 

• require you to safely store and document consent given by users to any data processing

• require your website to enable users to change their consent just as easily as they gave it

• gives certain rights to users, chief among them being the right to delete a user’s personal data

However, this means that there are two different GDPRs that you have to deal with - one that applies if you have visitors from inside the EU, the other if you have visitors from inside the UK.

You should Ask a lawyer if you have any questions or concerns about processing the personal data of EU users.

The simple answer is that you should store data for as long as you need it. 

Neither the UK GDPR nor the EU GDPR specifies any retention periods for personal data. This way, you can keep data as long as you can justify its usage, which most often relates to the reason you collect it in the first place (to determine your target market, for example). 

You should securely destroy or anonymise personal data when you no longer need it.

A DPO is a nominated person within a business who is responsible for ensuring data protection compliance. A DPO will generally be required if a business:

• is a public authority (with the exception of courts acting in their judicial capacity)

• carries out large scale systematic monitoring of individuals (eg online behaviour tracking)

• carries out large scale processing of special categories of data or data relating to criminal convictions and offences

A business that does not require a DPO can appoint one they wish to do so. However, if a DPO is not appointed because it isn’t necessary, the business needs to ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.

For more information, read Data protection.

Transferring personal data to recipients outside of the UK (known as ‘third countries’) is prohibited unless certain safeguards exist. Examples of such safeguards include:

• ‘adequate' third countries - data can be transferred internationally without the need for any further safeguards if the UK has decided that the country the recipient is located in has an adequate level of data protection (eg all European Economic Area countries are currently considered adequate)

• the adoption of standard contractual clauses - data can be transferred internationally on the basis of standard data protection clauses approved by the UK

For more information, read International transfers of personal data.