With all the recent media attention it has been impossible to avoid GDPR, but despite this many businesses are still ignoring the need to update their policies and procedures. It has been almost 3 months since the General Data Protection Regulation (GDPR) came into force but here at Stephens Scown we are still seeing a number of businesses with out of date privacy policies on their websites.
A website is your public face so it is important to get this right otherwise you risk complaints being made to the Information Commissioner’s Office (ICO). Under the GDPR, a business is required to provide individuals with certain information when they collect their data. Even those businesses that do not sell their services online usually have a “contact us” function on their website and also use cookies so it is important that they have a compliant Privacy Policy and Cookie Notice in place.
From discussions I have had with the business community in recent weeks there seems to be a lot of complacency that if you are not a big company like Facebook or Google then you don’t have to worry about GDPR, but unfortunately this is not the case. Here at Stephens Scown we have seen a marked increase in the number of enquiries we receive from individuals concerned about their privacy rights since May with all the publicity that GDPR has received. Individuals are now acutely aware of their data protection rights and are getting more savvy at enforcing them. We have also seen an increase in the number of businesses receiving subject access requests under GDPR, whether it be from disgruntled employees or recipients of marketing emails. Many businesses have found these requests difficult to respond to, particularly if they have not updated their privacy policies.
Six tell-tale signs your privacy policy needs updating:
1. You don’t have a privacy policy at all on your website
2. Your policy does not state who the data controller is
3. Your policy does not mention the legal bases you are relying on to process personal data
4. Your policy does not inform individuals of the various rights they have under GDPR
5. Your policy does not cover international data transfers
6. Your policy states that you do not share personal data with third parties (this is unlikely to be true when you use external hosting or software providers)
The above list is by no means definitive but should provide you with a useful checklist to easily ascertain whether your privacy policy is compliant.