• 2 min read

What data protection considerations do I need to be aware of for my organisation’s website?

Shield. Abstract wireframe vector illustration on dark blue. Protect and Security concept. Digital Shield on abstract technology background. 3d rendering

Websites have various functions which may have data protection implications. A privacy policy, cookie consent and terms and conditions are all aspects which need to be taken into consideration in order to comply with the law.

What are the main things to consider from a data protection perspective?

Privacy policy

If your organisation’s website does not collect personal data of any type then the website may just be a convenient place to include your organisation’s privacy notice so that when you refer your customers to your privacy notice you can reference it via a link.

In all likelihood, however, your organisation’s website will collect some personal data in which case the privacy notice is an important document to explain what personal data is collected and how it is used.

For example, an organisation’s website may collect personal data in the following ways:

  1. Cookies (see below)
  2. ‘Contact us’ pages
  3. Chat functions
  4. Online shops


Cookies may be the first thing which come to mind when considering websites and data protection as we all have to deal with cookie banners on nearly every website we visit now.

Cookies are small text files which are downloaded onto a website visitor’s computer or smartphone when they use those devices to visit the webpage. Cookies allow the website to recognise the visitor’s device and store some information about their preferences or past actions. This is the way, for example, that a website you have visited previously may greet you by your name or know that you are in the UK.

Unless the cookies are ‘necessary’ or ‘essential’ cookies, any setting of cookies needs user consent in advance of the cookies being placed on their device so it is also usual to see a cookie banner pop up when you visit a website. It is important that cookie banners are clear so that website visitors know what they are consenting to and have a genuine choice whether to consent. Current best practice (which is being heavily promoted by the Information Commissioner’s Office at the moment) is that cookie banners should include a ‘reject all’ button on the first layer of the notice and accept buttons shouldn’t be pre-ticked or more prominent. There should also be an easy way to withdraw consent after it is given.

Website terms and conditions 

If your organisation sells goods or services via its website then terms and conditions of sale should be on the website so customers know the contract terms which apply to their purchase. Typically these terms and conditions will include provisions dealing with data protection as when concluding the sale contract it is likely the organisation will collect personal data from the customer (e.g. name, address, contact details and payment details of the customer) and it is important the customer is informed of the related data protection implications.

Why do I need to comply with data protection law?

Failure by an organisation to comply with data protection law poses many risks including enforcement action by the Information Commissioner’s Office, loss of business and loss of reputation. You can read more about this here.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away