Non-compliant privacy policies: what hope is there when it comes to GDPR?

2nd January 2018

Just about every organisation publishes a privacy policy on its website. A privacy policy is a statement to the outside world about how an organisation will handle personal data collected through its website.

In October, the Information Commissioner’s Office (ICO) (the body responsible for data protection enforcement in the UK) published the results of a review into privacy policies. The ICO reviewed 30 UK websites in the retail, banking and lending, and travel and finance price comparison sectors and found that most privacy policies did not comply with the current Data Protection Act 1998.

The problems with the websites reviewed included:

  • 26 failed to specify how and where personal data would be stored;
  • Details about the cross- border transfer of personal data was found to be often too vague;
  • 26 organisations failed to explain adequately whether they share personal data and, if so, who it would be shared with; and
  • 24 organisations failed to inform users how they could delete or remove their personal data from the website 

So, if organisations with websites cannot comply with the current legislation, what hope is there that their privacy policies will comply with the new GDPR (or General Data Protection Regulation) which comes into effect on 25 May 2018?

It must be remembered that when the Data Protection 1998 became law, the on-line world was very much in its infancy and so it was not designed for that purpose. Indeed, Facebook was not launched until 2004 and YouTube not until 2005.

The GDPR, however, is intended to very much relate to the world today. Helpfully, most of what a privacy policy must contain is set out in Article 13 of GDPR. This, therefore, makes it easier for an organisation to check everything is covered.

On the other hand, as the research appears to show, few websites currently comply with the existing legislation so they will certainly not comply with GDPR. Accordingly, many privacy policies will need to be amended. For most organisations, its website is very much its public face.

As we have already mentioned, its privacy policy is very much its public statement as to how its is going to handle personal data and, in many ways, its public statement to demonstrate its compliance (or indeed non-compliance) with GDPR.

It is, therefore, vital for data protection purposes that organisations get their privacy policies correct. These are not standard documents as is often thought. They cannot be because the way in which organisations handle personal varies from organisation to organisation.

Do you want to join the conversation?

Sign up here