As we’re all aware, the General Data Protection Regulation (GDPR) came into effect on 25th May 2018, together with the Data Protection Act (DPA) 2018.
This was replaced by the UK GDPR on 1 January 2021, following the end of the Brexit transition period. This, together with the updated DPA 2018, forms the legal framework for the UK’s data protection regime.
This legislation was updated after nearly 20 years to catch-up with advances in technology and also reflect the fact that the vast majority of us are regularly sharing a great deal of personal information online. We now have enhanced rights in terms of both accessing this information and understanding what is being done with it… whilst organisations have a greater obligation to ensure our information is protected.
When it comes down to compliance, both pieces of legislation must be read alongside one another to gain the full picture. The GDPR contains the principles that must be adhered to by all organisations who process the personal data of citizens of the European Union, while the DPA2018 details how these principles are incorporated into UK legislation. Additionally, the DPA fills in the gaps concerning areas that are outside the scope of the GDPR, such as data processing activities performed by law enforcement or intelligence services, and the role of our regulator – the Information Commissioner’s Office (ICO).
How does this impact my business?
Well, there are several factors to be considered, such as your core activities and the number of individuals you employ; but ultimately, if you have a website there likely already exists a legal requirement for compliance.
…noticed the “Cookies banner” that pops up on most websites nowadays..? Although only mentioned once in the GDPR, Recital 30 states:
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […].
Cookies are essentially small data files stored on your device by websites for various purposes and lengths of time. As a business owner, you are likely using cookies for analytical reasons to gain an understanding of traffic to your website and how users navigate around the web pages. Additionally, they have practical uses such as remembering a user’s log-in details so that they don’t have to re-enter their password on each visit, present them with more relevant adverts and saving selected preferences to improve the general user-experience.
If you want to know which cookies are in use, just right-click the padlock icon that appears left of the website address in your browser.
Essentially, the remit of the GDPR and DPA2018 is “… Personally identifying or identified information of a natural person” i.e. any piece of data that discloses the identity of a living person (deceased individuals do not fall within the remit of these laws). I.P addresses and the information collected by cookies are considered personally identifiable information, as these are unique to you and your device.
ALL websites who offer a subscription or ask a user to enter ANY personal information into a form are legally required to seek consent through acceptance (or refusal) via these cookie banners. Additionally, your website should have a Cookie Policy separate to its existing Privacy Policy – combining the two is no longer considered adequate.