Skip to content

Clarke & Son Blog​


Next month, data protection rules across all of the European Union will see their biggest change in two decades. Yes, the General Data Protection Regulations (GDPR) brings a few new points but one could argue that all it really does is provide for the fact that the world has moved on in the 20 or so years since the last set of laws were defined.

Rather than bore you by reciting all the Articles of the GDPR and what they entail, as I’m sure all of you reading this article have sat through hours of training, I would rather outline how we here at Clarke & Son LLP can help you stay compliant by reviewing and updating your Privacy Policy.

All firms collecting or using personal data will already have a Privacy Policy in place to be compliant with the Data Protection Act 1998. The GDPR now requires you to disclose more information in your Privacy Policy. However, it also requires you to do it in a more concise and clear way.

Your Privacy Policy is where your business tells individuals what personal information you collect, why you collect it, how it is secured, third party access, cookies use as well as how you control this aspects. Under the new regulations your Privacy Policy must address the following:

  • Who is collecting the data and contact information for the data controller?
  • What data is being collected and what will this information be used for?
  • Inform users of their rights under GDPR as to the data being collected and whether it is mandatory to provide the data?
  • Does the collected data produce automated decisions i.e. credit checks?
  • What is the legal basis for processing the data?
  • Will the data be shared with any third parties?
  • How long will the data be stored for and will it be transferred internationally?
  • What rights does the data subject have?
  • How can the data subject raise a complaint?

Most of the above will be self-explanatory and as such I am only going to touch on those key points brought about from the new requirements.

Inform users of their rights under GDPR as to the data being collected and whether it is mandatory to provide the data.

I’m sure the majority of those reading this article are all in the know as to your rights under the new regulations as escaping the craze the new Regulations have caused, is simply impossible. However it is still important that the 8 rights provided by the regulations are addressed in some form in your business’ Privacy Policy. You should also let users know whether the personal information is an absolute requirement. This will be the case where the information on a business’ website is free to all without providing any personal information, however where such website has a members area it is important that your Privacy Policy covers that such section of the website requires personal information to be provided.

What is the legal basis for processing the data?

The Regulations provide that all data controllers must have a lawful basis for processing your personal data as provided under Articles 6 of the Regulations. The most common position which would be provided by most data controllers would be that of either (1) consent has been given for the subject’s data to be processed for a specific purpose(s); or (2) processing is necessary for a legitimate interest. Firms will need to make sure that they spell out very clearly what this legitimate interest is i.e. collecting financial information for payment purposes.

If you have a query or would like to book an appointment please get in touch with Tertius Alberts on 01256 320555 or email talberts@clarkeandson.co.uk.

Tertius Alberts

Corporate & Commercial Solicitor

Feel free to share:


Contact Details

If you have any questions or would like to enquire about one of our services, please fill in the enquiry form below and one of the team will get back to you.