Set out how you protect your website visitors' data
Protect your website and its users
Ensure legally required information is included in your emails
Inform staff members about data protection practices
Request access to your personal data held by a business
Set out what cookies your website uses
Request that a business delete your personal data
Data protection and privacy FAQs
In the UK, the main legislation governing the collection, processing and distribution of personal data is the Data Protection Act 2018 (the DPA) which is enforced by the Information Commissioner's Office (ICO). The DPA is the legislation that implements the UK General Data Protection Regulations (the GDPR).
Personal data is information relating to individuals who can be personally identified from that data (on its own or with other data held). Personal data can be held electronically or physically and includes names, addresses (including email addresses), dates of birth and online identifiers (eg IP addresses).
There is a further 'special category' of personal data which is subject to more restrictions. Special categories of personal data include information about racial or ethnic origin, sexual life and physical or mental health or condition.
For more information, read Data protection.
You have certain rights relating to data held about you, including:
the right to access your data and be informed about how your data is being processed
the right to have your data rectified if it's inaccurate or incomplete
the right to object to the processing
the right to have your data erased in certain circumstances
For more information, read Data protection requests.
Under section 45 of the DPA, individuals can make subject access requests (also known as ‘SARs’ or ‘data protection requests’) to businesses and other organisations that hold their personal data. A SAR is a written request to a company or organisation asking for access to the personal information it holds on you and can be made to find out a variety of things, including:
details of the personal data that is being processed (ie a copy of the data)
the reasons why this data is being processed
how this data was sourced (if available)
which other organisations or individuals have access to the data
For more information, read Making data subject access requests.
Under article 16 of the GDPR, individuals have the ‘right to rectification’, allowing them to request that any inaccurate personal data held by businesses or other organisations about them is corrected. If the data is incomplete, individuals can also request that organisations add more information.
Making a request for data rectification can be made verbally or in writing, clearly stating that the accuracy of the data is being challenged and should be corrected and, where possible, providing evidence of the inaccuracy.
For more information, read Data rectification requests.
Under article 21 of the GDPR, individuals have the right to object to organisations processing their personal data. This effectively means that organisations can be stopped or prevented from using an individual’s data.
The right to object depends on the organisation’s purpose and lawful grounds for processing and an objection can typically only be made if data is used for:
direct marketing purposes
statistical purposes or scientific or historical research
tasks carried out that are in the public interest
the exercise of official authority
the organisation’s legitimate interest
For more information, read Objecting to the use of personal data.
Under article 17 of the GDPR, individuals have the ‘right to erasure’, allowing them to have their personal data deleted from businesses or other organisations. The right to erasure only applies in certain circumstances (eg an individual initially consented to their data being used but has now withdrawn that consent or where it is no longer necessary for the organisation to keep the data for its original purpose).
For more information, read Making data deletion requests.
Generally, anyone who processes personal data needs to comply with data protection laws. 'Processing' is any use of personal data (other than for personal reasons) and includes obtaining, storing and retrieving personal data. Read Processing personal data for more information.
This means that businesses and private individuals alike will need to comply with data protection laws where they process personal data belonging to ‘data subjects’ (ie natural persons from whom or about whom they collect information). For example, an online business may collect personal data about its customers (ie the people buying its products) and its staff. On the other hand, a private individual may collect personal data where they run a blog (eg by collecting users’ names and email addresses through a blog contact form).
Health data (ie any information relating to your health, including, for example, Coronavirus (COVID-19) vaccination status) is special category personal data that is awarded greater protection than other forms of personal data (eg names and contact details).
The processing of personal health data is generally not permitted unless the use of the data is fair, relevant and necessary for a specific purpose. For example, your employer may be able to process your personal health data in order to comply with employment law, the employer’s health and safety duties and for reasons of the public interest in health.
Where your employer processes health data (eg checking or recording your Coronavirus (COVID-19) vaccination status), their responses for doing so must be clear and transparent. This generally means that employers need a specific reason for processing your health data and cannot be recording it ‘just in case’.
For more information on employers processing your health data in relation to your Coronavirus (COVID-19) vaccination status, read How to record the Coronavirus (COVID-19) vaccination status of staff.
Even when you run a personal blog, you still need to make sure that you comply with data protection laws. To do this, it is recommended that you have a variety of documents available on your website for visitors to view, including:
a Privacy policy (if you are collecting personal data from website users). This document should let your website users know who you are, why you are collecting their data, what you are doing with their data and how long it will be stored
a privacy notice (if you are holding and using people’s personal data). This document explains who the data controller (ie the party determining the purposes and means of processing personal data) is, who the Data Protection Officer (ie the individual responsible for ensuring data protection compliance within the business) is, and describes the purpose of collecting, using, disclosing and storing a person's personal data
a Cookie policy (if your blog uses cookies - small text files placed on a user’s computer or smartphone, commonly used to collect personal data). This should let your website users know about the website’s use of cookies. You can also have an integrated cookie policy in your Privacy policy (as is the case with Rocket Lawyer's template)
Website terms and conditions - this document governs the use of your website and to sets out the legal rights and obligations between you and your users
For more information, read How to set up your blog.