The importance of having a privacy notice and data protection policy in light of GDPR

The General Data Protection Regulation (GDPR) comes into force on the 25th of this month.

Under the Regulation, businesses have a duty to keep individuals informed about the use of their personal data and about their legal rights concerning that data.

Your Privacy Policy

If you have a privacy policy on your website and you have not yet updated it in line with GDPR, you will need to move quickly. Changes will need to be made to the policy in respect of making it clear how personal data is being collected through your website and how cookies are being used to track behaviour whilst they navigate your pages.

In addition, if you are doing business offline, which most businesses do in addition to online trading, you will need to be aware that GDPR and its information requirements apply in just the same way.

The right to be informed is one of the key parts of GDPR. This means that if you deal with consumers, you will need to inform them of the following:

  • What personal data you hold about them
  • What you use the data for
  • The grounds for using the data
  • How long you will hold the data
  • Whether you intend to share the data, and with whom

You will also need to provide people with information about people’s rights, including the right of access and the right to withdraw consent, if that applies.

If you collect personal data directly from consumers, you should be informing them of all this at the time of collecting the data. If you collect the data through a third party, then you must inform the data subjects either when you first communicate with them; within a month or when you disclose the data to someone else, whichever occurs first.

You will need a privacy notice ready to provide to consumers. This notice will need to set out the required information in an easy to follow, user-friendly way. It will need to be designed specifically for use in situations where data is being collected offline rather than online through a website. This might be for example point of sale.

Your Data Protection Policy

If you already have a data protection policy then you will need to update it in line with GDPR. If you don’t already have one, now is the time to get one drafted.

It is vital that your entire organisation is aware of the rules involved in GDPR and how they should be handling personal data now that things have changed. Without a data protection policy, you have no proof that you have made any attempt to install procedures within your business for protecting personal data in line with the new Regulation.
Remember, we have discussed this before: fines for breaches of this Regulation are substantial to the point where they could devastate a business.

Time to Take Advice?

If you have not yet brought your business up to speed in readiness for GDPR, you really do need to get moving. Getting your policies in order is absolutely crucial if you are going to remain compliant, so either consult a lawyer or look online for good quality policy templates that you can adapt to your specific business needs.

Regular Bulletins

Sign up to our regular Office Assistants newsletter and get special offers and discounts.

Sign up

Investors in PeopleThe Institute of Certified Bookkeepers

Company's Practice Number: 4635

This website uses cookies as outlined in the cookies policy