The Data Protection Act (DPA) 2018 is the UK’s updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom’s exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]
On this page
- Table of Contents
- Data Collection
- Personally Identifying Information’
- Non-Personally Identifying Information
- Data Protection Rights (Under GDPR)
- Data Protection Fee
- Policy Changes
- Contact Information
- How to Contact Data Controller
- How to Contact Data Protection Officer
Table of Contents
A clear explanation of what kind of data will be collected from the user is a must in order to be GDPR compliant. It is also required that you include how the data is collected, where the data is stored and processed and how long the data is retained. Another aspect of data collection to include is the security measures you have implemented to protect your users personal data.
Personally Identifying Information
- how the information collected is used
- whether the information may be disclosed to third parties
- and if so who, how the user can opt in or opt out of personal information collection
- how they can update, restrict or delete their personal information
- how they can request erasure of their personal information.
Non Personally Identifying Information
Your Data Protection Rights
In alignment with the GDPR, see our article on it here, you must outline the data protection rights of your users/customers.
The rights are as follows:
- to be informed: Your users have the right to be know about how you collect and use their personal data. This is a major requirement under the GDPR to promote transparency. Users must be provided information of Privacy at the time their personal data is collected.
- of access: Your users have the right to access their data at any time, they can request this either verbally or through writing to you. You have a one month time period in which you must respond to the request.
- rectification: Users of your website have the right to have any inaccuracies in their personal data changed. This can be done through a verbal or written request and you have one calendar month in which to respond.
- to be forgotten: Under the GDPR users have the right to have their personal data erased. This right can also be known as the right to erasure. Once again users can make this request either verbally or through writing and you have a month is which to respond to the request.
- restrict processing: users have the right to request that you do not process their personal data. The can make this request either verbally or in writing and you need to respond within one calendar month. However the right to have personal data restricted only applies in certain circumstances.
- object to processing: Your users have the right to object to their personal data being used for the purpose of direct marketing. They can also request that you stop processing their personal data and there are some circumstances in which this applies. These circumstances are if the processing is for :” a task carried out in the public interest; the exercise is of official authority vested in you; or your legitimate interests (or those of a third party).”
- data portability: this right allows your users to have access to their personal data so they can use it for their own purposes. They can move this data from one IT environment to another safely and securely.
- to object to automated processing: Your users are able to object to the processing of their personal data that is processed without human involvement by automated means.
Data Processing Fee
You must let your users/customers know if there may be a processing fee for any of their requests involving their data. In most cases a fee won’t apply but you must inform them of the chance there may be one.
How to contact the data controller
How to Contact data protection officer