Data Protection Requirements: what you really need to know
[et_pb_de_mach_content content_type=”excert” _builder_version=”4.9.4″ _module_preset=”default” text_font=”|600|||||||” text_text_color=”#FFFFFF” text_font_size=”16px” text_line_height=”1.5em” custom_margin_tablet=”” custom_margin_phone=”||0px||false|false” custom_margin_last_edited=”on|phone” text_font_size_tablet=”16px” text_font_size_phone=”14px” text_font_size_last_edited=”on|phone” global_colors_info=”{}”][/et_pb_de_mach_content]

Written by Kate Molloy

Partner, Head Designer, Sometime Unicorn, Controller of the Whiteboard.

January 26, 2020

Data protection requirements. Possibly my least favourite subject (other than email, but that’s for another blog post). It’s boring. It’s confusing. But it’s essential that you know what you’re expected to do with your website when you run an online business.

In this blog post I’m going to show you exact what you do need to have in place on your website, and what you don’t need to worry about.

A caveat; I’m not a lawyer and this is not legal advice! Please consult a lawyer to make sure you’ve covered all your bases. This article also doesn’t cover any offline data privacy issues, so please read more on that if you need to.

Data Protection Requirement DO’s

Have a cookie notification plugin

The Privacy and Electronic Communications Regulations (PECR) cover the use of cookies on websites. The rules on cookies are pretty clear and straightforward:

You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.

There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).

The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.

Information Commissioner’s Office – Cookies and similar technologies

With this in mind, it’s important to note that not all cookie plugins are created equal. As it says above, users must actively consent for cookie use – continuing to use your website does not constitute valid consent.

The plugin that I recommend is Complianz. It’s what I use, they cover the requirements and their setup wizard makes it fantastically easy to get set up. And it’s free! Although there is a premium version too if you want extra protection.

There’s a great list of recommended plugins in this WP Explore article.

Display your Privacy Policy on your website

Transparency and the right to be informed are key principles of the GDPR regulations. This is a wide reaching element of the regulations, but when it comes to your website, it means including a privacy policy which is visible at the point users give their information. A privacy policy needs to include quite a lot of information, all of which can be seen on the ICO’s website here.

The easiest way to get your Privacy Policy right is to consult a lawyer and get it written up for you. However, there are many online templates that you can also use as a starting point.

I like the ones by SEQ Legal over at, mainly because they’re brilliantly written by UK based lawyers.

You can read mine here.

Register with the Information Commissioner’s Office

As they say on their website:

Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt.

There are exceptions, but it probably includes you. It’s only £40 for most small businesses and it is a legal requirement, so get it done!

Data Protection Requirement DON’Ts

Don’t get stressed out about it!

This page on the Information Commissioner’s Office website shows exactly how many complaints are made about website cookies. Less than 150 in any given month. LESS THAN ONE HUNDRED AND FIFTY. Now, I’m not saying that this means you shouldn’t be fully compliant with the data protection requirements on your website, of course you should. What I am saying is that a minuscule number of people are actually complaining about cookie issues, which is the thing most people get stressed about. It’s not likely that anyone is going to complain about you if you do the basics to follow the law. If you want to see examples of the sorts of things people and businesses ARE prosecuted for, you can do that HERE. It’s quite an entertaining read!

DON’T delete your email list and start again

Around the time of the new GDPR regulations, I was horrified to see lots of people say they’d ‘played it safe’ by deleting their email lists and starting again. There was A LOT of scaremongering about at the time, so I can understand why some people felt like it was their only option. But it wasn’t.

The GDPR rules say:

You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.

You can send marketing emails or texts to companies. However, it is good practice to keep a ‘do not email or text’ list of any companies that object.

Information Commissioner’s Office – Electronic mail marketing

That means its ok to contact any previous customers or any companies you deal with. It’s also MUCH better to email everyone on your list asking them to reconfirm that they’re happy to stay in your database – you’ll be surprised how many stick around.

DON’T ignore the data protection requirements

The data protection requirements are here to stay. This is not a ‘head in the sand’ moment, it’s something you need to face up to and deal with. There are many ways to tackle the subject yourself; it’s not something to be afraid of. And if you’re not sure what you should be doing, get some legal advice!