While the stir around the introduction of the General Data Protection Regulation (GDPR) has certainly died down since May 2018, the GDPR is still as relevant as ever to all organisations who process people’s data.
Here we answer a few questions that often crop up…
How do you generate a GDPR compliant privacy policy?
Each organisation has different internal processes and the way in which your business handles personal data may be very different to how your competitor does, so it’s always best to seek legal advice to ensure you’re covered with a strong compliant privacy policy on your website. However, as a starting point, the UK Information Commissioner’s Office (ICO) has provided a template privacy notice on its own website, which gives good general guidance on the key areas it should cover.
Before you begin creating a privacy policy, its important to understand exactly what kinds of data you handle, and to have thorough knowledge of your organisation’s internal data processing methods (we can help you with an audit and gap analysis).
How can GDPR compliance be automated?
It would be very difficult, if not impossible, to automate GDPR compliance. There are so many variables at each stage of the process. We always recommend that organisations seek tailored advice to ensure their own processes are compliant; after all, each businesses has its own organisational structure, systems and internal ‘quirks’!
What are the security and privacy implications of the GDPR?
In terms of data security, data controllers and data processors have greater responsibilities under the GDPR than they did previously. You should take steps to show that you are doing your due diligence when it comes to protecting the data you process. This may involve scrutinising the technologies and processing operations your organisation uses and making sure these are capable and reliable when it comes to keeping confidential data safe.
What are the checklists for GDPR compliance?
There is no one-size-fits-all approach to GDPR, as each organisation handles data differently, but the ICO has lots of helpful resources – including a data protection self-assessment toolkit, with a series of checklists for data controllers and data processors, data sharing and subject access and more – which businesses can use as a starting point.
How is a GDPR gap analysis performed?
A GDPR gap analysis is important, simply because you can’t solve a problem that you didn’t know existed! This is a process of identifying areas and systems within your organisation which may be at risk of a breach and need ‘tightening up’. You should instruct a data protection expert to do this, because it is one of the most important steps on your journey towards compliance, not to mention a complex and time-consuming process for the uninitiated.
Is GDPR part of the Data Protection Act?
The Data Protection Act 2018 replaces the Data Protection Act 1998, giving an updated framework for UK data protection law. It is not the same as the GDPR, but it sits alongside it. The DPA 2018 gives a framework for how the GDPR should be put into practice in the UK.
What is the data protection impact assessment in GDPR?
One of the characteristics of GDPR is increased accountability. There is a requirement under GDPR for businesses to undertake data protection impact assessments when putting any processes in place that use new technology that is likely to result in a high risk to data subjects.
What is the data controller role in GDPR?
Under GDPR, both data controllers and data processors have new obligations. The ICO defines data controllers as “the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.” They are the organisations who decide how personal data is processed, and what it is used for. If there is more than one person taking on this activity, using the same data for the same purpose, they are referred to as ‘joint controllers’. UK data controllers must also make sure that the data processors they instruct are also compliant. If data controller breaches their obligations, they may face action from an authority such as the ICO.
Generally, if you are a data processor, you will be working under a data controller’s instructions, but you will have your own responsibilities too. If you have any questions on your compliance responsibility, please contact us.
Our specialist GDPR and data protection solicitors will make the effort to get to know your business, using this knowledge to create workable solutions to any kind of GDPR compliance challenge you may face. Whether you’re looking for a comprehensive solution, training or help with certain aspects of data protection law, please contact us.
Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
On 24 May, the ICO published its updated guidance for businesses and employers on responding to data subject access requests (commonly referred to as ‘SARs’ or ‘DSARs’). Based on the…
Less paperwork for organisations, fewer data collection pop-ups for the wider public, and more than £4 billion saved over next 10 years – these are just a few outcomes that…
This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA. In June this year, the European Commission published two sets…
By clicking Accept you are agreeing to the use of all cookies which will allow us to provide you with the most relevant experience when visiting or re-visiting this website. This means that your personal preferences will be remembered when you use this website. You can change your consent or choose specific settings by clicking "Cookie Settings". By clicking "Reject All" we will not use any non-essential cookies. Essential cookies will still be used for the website to function properly. Please see our cookie policy and privacy notice for more information about how we process your personal data.
Our website uses cookies to improve your experience while you navigate through our website. Out of these cookies, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use our website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies but it may affect your browsing experience on our website. You can find our cookie policy here.
Necessary cookies are absolutely essential for our website to function and enable core functionality such as security and accessibility. These cookies do not store any personal information. You can block these cookies by changing your browser settings, but this may affect how the website functions.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
mgref
1 year
This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
yt-player-headers-readable
never
The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-installed
session
The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period
session
The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app
session
The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name
session
The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY
never
The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat
1 minute
This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
_gid
1 day
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_s
1 year
This cookie is associated with Shopify's analytics suite.
G
1 year
Cookie used to facilitate the translation into the preferred language of the visitor.
vuid
2 years
Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
VISITOR_INFO1_LIVE
6 months
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA
6 months
YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.