02920 829 100 
Does my Business Website Still Need a Privacy Policy After Brexit?
February 14, 2022
The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR. However, in practice, there is little change to the core data protection principles, rights and obligations.
Your business website should display a customer facing privacy policy, which will notify the visitors to your website about how it collects, uses and stores personal data (excluding special categories of personal data and data relating to criminal convictions and offences), through the use of your website, to enable you to provide goods and services.
As part of the UK GDPR principles, businesses must comply with the “transparency requirements”.
The transparency principles require all data controllers (your business) to notify data subjects (your customers) about their personal data handling practices through a privacy policy, at the time that data is collected. For an online business, that will usually be done via their website privacy policy.
A privacy policy informs data subjects about how your organisation collects, uses, stores, transfers and secures personal data.
In addition to a privacy policy, your business website should also notify users about your general website terms and also a cookie policy. In addition, you may wish to display your general trading terms of business on your website.
When collecting personal data from a data subject, as a data controller, the UK GDPR requires you to provide the data subject with the following information:
your business identity (meaning the name of the legal entity), contact details and details of its representative, if any
the contact details of your data protection officer (DPO), where applicable
the intended purposes of, and the legal basis for, the processing
where the processing is based on the “legitimate interest” ground, what legitimate interest is being pursued
the recipients or categories of recipients of the personal data, if any
where applicable, the fact that your business intends to transfer the personal data to a recipient in a country outside the UK or an international organisation, and the existence or absence of adequacy regulations or information about the appropriate or suitable safeguards adduced to secure the data and the means to obtain a copy of them
A business must also provide the data subject with the following information to ensure fair and transparent processing:
the period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period
the existence of the individual’s:
right of access
right to rectification
right to erasure
right to restriction of processing
right to object to processing
right to data portability
where processing is based on the individual’s consent, the right to withdraw that consent at any time
the individual’s right to lodge a complaint with the Information Commissioner
whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract. The individual must be informed about any obligation to provide personal data and of the consequences of a failure to do so
the existence of automated decision-making or profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of that processing for the individual
If you have any queries about website privacy policies or other data protection or e-commerce issues, please contact our Stephen Thompson on sthompson@darwingray.com or 07970 160166.
To speak to one of our experts today, please contact us on 02920 829 100 or by using our Contact Us form for a free initial chat to see how we can help.
