In October, the Information Commissioner’s Office (ICO) (the body responsible for data protection enforcement in the UK) published the results of a review into privacy policies. The ICO reviewed 30 UK websites in the retail, banking and lending, and travel and finance price comparison sectors and found that most privacy policies did not comply with the current Data Protection Act 1998.
The problems with the websites reviewed included:
- 26 failed to specify how and where personal data would be stored;
- Details about the cross- border transfer of personal data was found to be often too vague;
- 26 organisations failed to explain adequately whether they share personal data and, if so, who it would be shared with; and
- 24 organisations failed to inform users how they could delete or remove their personal data from the website
So, if organisations with websites cannot comply with the current legislation, what hope is there that their privacy policies will comply with the new GDPR (or General Data Protection Regulation) which comes into effect on 25 May 2018?
It must be remembered that when the Data Protection 1998 became law, the on-line world was very much in its infancy and so it was not designed for that purpose. Indeed, Facebook was not launched until 2004 and YouTube not until 2005.
On the other hand, as the research appears to show, few websites currently comply with the existing legislation so they will certainly not comply with GDPR. Accordingly, many privacy policies will need to be amended. For most organisations, its website is very much its public face.
It is, therefore, vital for data protection purposes that organisations get their privacy policies correct. These are not standard documents as is often thought. They cannot be because the way in which organisations handle personal varies from organisation to organisation.
Let us help you
By registering your interest, we'll be equipped to help answer any questions you may have about the GDPR and provide further information about how it will affect your business