GDPR Archives -

Blog Archives

Cookies And Cookie Policy Under GDPR

Posted on April 11, 2018 by

You will have no doubt heard a lot of buzz around the introduction of the new General Data Protection Regulations (GDPR) on 25 May 2018. As a website owner, there are some specific considerations coming into effect as part of these new regulations. Under GDPR regulations, cookies are considered personal information as they are used to identify an individual. As you conduct your GDPR review and audit for your business this is how you must treat cookies.

Cookies and your cookie policy

Your website will almost certainly be using cookies to track visitors which means that you will need to make some changes to how these are used. Firstly, you will need to as a minimum have a soft opt-in for site visitors. If your website is aimed at consumers then we would recommend a specific click for consent option that allows you to provide evidence of an opt-in. In either case this means that you must as a minimum do the following;

  1. Ensure no cookies are dropped before a visitor has given express consent to accept your cookies.
  2. Tell your visitors what you use cookies for and then make it clear that if they proceed past the page they landed on, they are giving consent for you to drop a cookie(s) on their device – this is not recommended for B2C website as it will almost certainly not pass GDPR rules. Alternatively, you must give them the option to continue without accepting cookies although it should be noted that this will stop some websites from working properly or as intended. This should be made clear to your visitors at the outset if applicable.
  3. Give a link to your cookie and or privacy policy which should clearly detail what you are using cookies for and how a visitors data might be used.
  4. Finally, and this is really important, provide the ability for visitors to revisit your site and opt out of your cookie policy and be forgotten. Again this should be made clear at the point of entry to your website such that visitors are clear as to how this process works should they wish to opt out at a future date.

Privacy policy

Your privacy policy should detail everything regarding the use of cookies on your website, how they are used and what they are used for. If you use any forms on your website you should state what you do with this data, especially if you plan to share any data with third parties. If you are using data you collect to identify website visitors you must also make this clear. The privacy policy relates only to the use of the website or data collected via the website so is separate to your terms and conditions or other more general GDPR requirements.

Actions you will need to take

  1. Cookie audit – you will need to have an audit carried out to determine a list of the cookies used on your website along with what those cookies are used for. This information is needed for both your cookie policy as well as your privacy policy.
  2. Cookie policy and opt in/out modifications to website. Once the audit has been completed and the policy written you will need to implement the cookie opt in functionality on the website. No cookies are dropped on the landing page and this will ensure proper consent is received from your visitors as they proceed to use your website. Perhaps the most important part of GDPR however is the opt out functionality you will need to implement. Somewhere on your site, and we would probably recommend the privacy and or cookie policy pages, you must provide an opt out that will remove cookies from a previously opted in visitor and prevent further tracking. As previously noted, this may render your site inoperable to the visitor so you will need to cover this in your policy wording.
  3. Update privacy policy – this will be focussed on what data you are collecting, why you are collecting it and if applicable, who you are sharing it with. It will also need to give details of the person responsible for your policy such that you can be contacted.


Complying with GDPR for your website needn’t be a huge burden and is essentially an extension to the current DPA rules. As such, assuming you are already DPA compliant, you will have a good basis on which to work from. The main reason that there’s so much buzz around GDPR is that is comes with some potentially significant fines for non compliance. This might sound scary but everyone will be conscious of how important their own personal data is and should therefore be keen to extend the same sentiment towards how they manage personal information themselves.


GDPR compliance is the sole responsibility of any business that falls under the jurisdiction of the regulations. The information contained within this article only covers a small part of the GDPR regulations and is our interpretation of the regulations regarding the use of cookies.

Important Information About GDPR

Posted on April 6, 2018 by

The European General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018.

You’ve probably already heard the abbreviation GDPR floating around these last few months. This is not just another piece of legislation taking place – it’s crucial that businesses take action now. But first, it’s important to know how this affects the way businesses use and track personal data, and the steps that businesses need to take now in order to be prepared for these changes.

The GDPR is completely changing the way businesses can use personal data. The aim of the new regulation is to protect the individuals’ data and privacy. What exactly is meant by this? It affects the way businesses collect, store and use the information about individuals, and applies not only to a customer data but also your past or present employees and suppliers. It gives individuals more freedom to ‘control’ what businesses do with their personal information.

Who does the GDPR affect?

You may think the new regulation only applies to large organisations, but regardless of the size of business, GDPR is affecting every business that works with European citizens’ data.

However, the good news is that the GDPR treats small businesses differently to the big ones. The businesses with over 250 employees must employ a Data Protection Officer (DPO) – a person responsible for making sure that the business collects and secures personal data in a responsible way. If the business employs less than 250 people, there’s no need to employ a DPO. However, small businesses still need to be compliant with the changes happening on the 25th May 2018.

The GDPR does not only affect businesses located in the UK. The GDPR is about protecting the data of all European citizens, which means that a business in any part of the world that sells goods to or works with European citizens has to comply with the new European regulations.

What kind of data does the GDPR apply to?

Any personal information. This could be – a name, an email address, a photo, posts on social media platforms, bank details, medical information, computer IP addresses, even sensitive information such as sexual orientation, religious beliefs, etc. It also includes any piece of information that could be linked to an individual. For instance, a cookie on a website can be used to identify an individual visitor and is therefore classed as personal information.

What rights will individuals have?

Right to be informed
Under the GDPR, individuals have the right to be informed about their data being collected and used. Businesses must provide their customers with a privacy policy detailing what data is being collected, why this data is collected, how long will you keep the data for and if applicable, who will you share this data with. This privacy information must be provided to individuals at the time you collect their data. In the case of obtaining the data from other sources rather than from individuals directly, you must provide details to those being affected with the privacy information within a month.

Right of access
Individuals have the right to get confirmation of their data being used and can also request access to that data (companies have to provide this information free of charge and within a month of the request).

Right to rectification
Individuals have the right to have their data rectified if their data is not accurate. If an individual requests this, the company needs to deal with this request within a month (in some cases, if the request is more complex, the one month period may be extended to 2 months).

Right to erasure (also known as ‘right to be forgotten’)
Individuals have the right to ask for erasure of their data. This includes the right to opt out of cookies on your website if they have previously opted in.

Right to restrict processing
Individuals have the right to ask for a restriction of their data.

Right to data portability
Individuals can request that their data is moved from one service to another. If this is the case, you must provide a safe and secure transferal of their data.

Right to object
Individuals have the right to object to:
– processing based on legitimate interests in the public interest/exercise of official authority (including profiling)
– direct marketing
– processing for purposes of scientific/historical research

Rights in relation to automated decision making and profiling
You must give individuals the information about the processing and introduce a simple way for them to challenge a decision.

What steps do businesses need to take?

Audit your business
It’s important that you know everything about the information you hold and who it’s shared with. Probably the best way to do this is to organize an audit through your organization and document what data you hold, what you use them for, where the data came from and who you share this data with. And what about your privacy policy? Also, do you give people an option to opt out? This might take a while for you to do but it will give you a better understanding of what actions your business needs to take after the enforcement of the new regulation.

Update the privacy policy
You should already provide this information, however, this should be reviewed as GDPR brings new requirements of what needs to be included in your privacy policy. You will have to explain your lawful basis for processing the data, you will also have to let people know the retention period or let them know that they have a right to complain to the ICO if they think the way you handle their data is not correct.

Don’t forget to include information about cookies on your website – including a list of cookies and what they do. You will almost certainly also have to make changes to how cookies are used on your website, have a clear opt-in policy and also implement a way for visitors to subsequently opt out of cookies in the future.

You must give individuals an absolute freedom to opt out. You also have to give them an option to opt in.

Be concise
State exactly what information you store, the purpose of your business gathering their data, how will you store their data, what you will do with their data, how long will you keep their data for and who else will have access to it.

Create a data policy for your business
Individuals have a total control of how companies manipulate their data. You must prepare for situations like; how will we erase the data if requested? Or who will be responsible for doing so? Also, bear in mind the period for handling requests will change from 40 days to a month!

Data breaches
Situations like this are not ideal but they do happen. You should have the right procedures in place to detect, report and investigate the data breaches. You have to report the data breach to ICO if it is likely to result in putting individual’s rights and freedom at risk.

Some of our happy customers

logo ahmad
logo poingdestres
logog swiss
logo ibhs 1
logo sgc
logo nationwide
logo undersea
logo roughton
logo stcross
logo pulse
logo mm
logo jfl
logo heritage 1
logo firesafe
logo electrofreeze
logo clickmetal
logo baguetti
logo ccc 1
log arokah
logo labs
logo paragon
logo trant
logo nahh
logo edge
logo romsey
spaceway logo
logo bookharbour
logo chartco
logo cranbourne
logo magister
logo mgmetals
logo westway
logo ocean
logo testvalley
logo brittania
logo faac
logo gss