A padlock and a keyboard resting on a wooden table.

It has been almost six months since the General Data Protection Regulation (GDPR) 2018 but many businesses still do not have GDPR compliant privacy policies on their websites.

With all the recent media attention it has been impossible to avoid GDPR, but despite this many businesses are still ignoring the need to update their policies and procedures. A website is your shop window so it is important to get this right otherwise you risk complaints being made to the Information Commissioner’s Office (ICO) in the UK, or other national data protection regulators if you have a global reach. Under the GDPR, a business is required to provide individuals with certain information when they collect their data. Even those businesses that do not sell their services online usually have a contact us function on their website and also use cookies. So, it is important that they have a compliant privacy policy and cookie notice in place informing website visitors how their data will be used.  Perhaps you sell bespoke boats with pricing on request and merely have a website landing page with your contact details, or maybe you only work with other businesses and have made the mistake of thinking that GDPR does not apply to b2b businesses.  Whatever your business, the tide has turned on how businesses can handle personal data and it is hard to think of a business that will not need to change its policies and procedures to comply with GDPR.

We have seen a marked increase in the number of enquiries we receive from individuals concerned about their privacy rights since May. GDPR has been well publicised, and individuals are now acutely aware of their data protection rights and are getting more savvy at enforcing them. We have also seen an increase in the number of businesses receiving subject access requests under GDPR, whether it be from disgruntled employees, recipients of marketing emails or disgruntled customers. Many businesses have found these requests difficult to respond to, particularly if they have not updated their privacy policies.

Six tell-tale signs your privacy policy needs updating:

  1. You don’t have a privacy policy at all on your website
    2. Your policy does not state who the data controller is
    3. Your policy does not mention the legal bases you are relying on to process personal data
    4. Your policy does not inform individuals of the various rights they have under GDPR
    5. Your policy does not cover international data transfers
    6. Your policy states that you do not share personal data with third parties (this is unlikely to be true when you use external hosting or software providers)

The above list is by no means definitive but provides a useful checklist to easily ascertain whether your privacy policy is compliant.  We understand a number of  businesses are still confused about their obligations under GDPR, so we have teamed up with marketing specialists, Jarrang, to create a GDPR e-book answering some common questions the business community are asking. You can download a copy here: