Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form


UK website privacy notices are far from compliant with GDPR

UK website privacy notices are far from compliant with GDPR
Monday 20th November 2017

An international study has found that businesses in the UK need to improve their online privacy notices if they are to comply with the General Data Protection Regulation (GDPR) by the time it comes into force on 25 May 2018. With new fines of up to 4% of global worldwide turnover or €20million, whichever is higher, organisations should be keen to improve in response to this timely warning.

The study was led by the UK data protection regulator, the Information Commissioner’s Office (ICO), and included participation by 24 additional data protection regulators from around the world. In all, 455 websites and apps across a wide variety of sectors were assessed. The regulators were considering how easy it was from a user’s perspective to establish precisely what information was being collected, how it was being used, processed and shared, and what the purpose of the collection and processing was.

The study highlighted several issues that were present across all of the jurisdictions in which websites were assessed:

  • Privacy communications across all sectors tend to be too vague, lacking specific detail and relying on generic clauses;
  • Most organisations are failing to inform their web users what happens to their information once it has been collected; and
  • There is a general failure to specify with whom personal data is shared.

On the back of the report, several regulators in different jurisdictions have decided to take action to improve compliance with data protection legislation. Some regulators are working to provide guidelines to advise businesses on how to improve their privacy practices, and in more serious cases regulators have contacted individual organisations to set out remedial actions that need to be taken to improve control of personal data.

In the UK, 30 websites were assessed by the ICO as part of the study. They included websites from the retail, banking, travel and price comparison sectors. The assessments concluded that the privacy notices of these websites were inadequate. Key problems highlighted by the ICO in the UK included:

  • 26 of the 30 failed to specify how and where information would be stored. Additionally, the data that was provided was often unclear and vague;
  • 26 organisations failed to explain whether personal data would be shared with third parties and who those third parties would be;
  • 24 websites did not provide users with any clear means to remove their personal data from the website; and
  • 7 businesses did not make it clear how users could exercise their rights to access the personal data the businesses held about them (i.e. through a Subject Access Request)

The ICO manager involved, Adam Stevens, said of the poor results, “the GDPR is coming in May 2018 and from what we’ve found so far, organisations which want to do business or operate in the EEA have a lot of work to do if they don’t want to be breaking the law.”

This month, the ICO have set up a dedicated advice line for small and micro businesses and charities. The main aim is to help those organisations without significant resources to prepare for GDPR, however, the service will also be able to advise on current data protection rules, electronic marketing and freedom of information requests. To get in touch, visit the ICO website here

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.