Athlex
Contact
Athlex

Tag: Data Subject Rights

Crafting a GDPR-Compliant Privacy Notice and Website Terms for Your Business

7 minutes read
Two professionals reviewing a laptop checklist for a UK GDPR privacy notice and website terms

A GDPR privacy notice explains how your business uses personal data, and your website terms set the rules for using your site. Transparent communication is the cornerstone of effective data protection. A privacy notice tells customers how you handle their personal data, while website terms explain the rules of using your site. Together, they form a vital part of your compliance strategy. For UK businesses, getting these documents right is essential to meet obligations under the UK GDPR and build trust with clients and partners. This guide outlines key elements of a privacy notice and website terms and explains how to develop documents that are both informative and legally sound.

Why a Privacy Notice Matters

A GDPR privacy notice is your evidence of transparency: it shows people what you collect, why, and what choices they have. A privacy notice is a public statement about how your organisation collects, uses and safeguards personal data. It covers details like the types of data collected, why you collect it, how long you keep it, who you share it with and what rights individuals have. Athlex’s privacy notice begins by explaining that it covers personal data when people contact the company, visit its website or use its services. It clarifies that personal data includes any information that can directly or indirectly identify an individual. Starting with this definition helps set expectations and aligns with legal requirements.

Information You Should Include

Your privacy notice should be comprehensive yet easy to understand. Consider including the following sections:

  • Who You Are: Identify your business name and contact details. If you have a Data Protection Officer (DPO) or representative, include their contact information.
  • What Data You Collect: Explain the categories of data you collect, such as names, contact details and information about a person’s role. If you collect data indirectly, describe the scenarios, for example receiving information from clients or through public sources.
  • How You Obtain Data: Describe the different ways you collect personal data, from website forms and customer interactions to third-party sources.
  • Why You Collect Data: Outline the purposes for processing personal data, such as providing services, sending marketing communications or complying with legal obligations.
  • Lawful Basis: Identify the legal basis for each purpose, such as consent, contract, legitimate interests or legal obligation.
  • How You Share Data: Explain if you share data with third parties and why. Be transparent about processors, partners or platforms used for marketing and analytics.
  • Data Retention: State how long you keep personal data and what criteria determine retention periods. If you have different retention periods for different data types, explain this clearly.
  • Security Measures: Summarise the technical and organisational measures you use to protect data.
  • Individual Rights: Inform people about their rights, including access, rectification, erasure, restriction, objection and data portability. Explain how they can exercise these rights and provide contact details for requests.
  • International Transfers: If you transfer data outside the UK or EU, describe how you safeguard those transfers.
  • Updates: Indicate how you will notify people of changes to the notice.

Avoid legal jargon and keep sentences straightforward. Use headings and bullet points so readers can find information easily. Remember to provide the notice in a format accessible to people with disabilities.

Creating Website Terms

Website terms of use set expectations for visitors and protect your business from misuse. These terms should be tailored to your services and industry. Key areas to cover include:

  • Acceptance of Terms: State that by using the site, users agree to the terms and any related policies (privacy notice, cookie policy). Athlex’s terms open by welcoming users and advising them to read the terms alongside the Privacy Notice and Cookie Notice.
  • Permitted Uses: Explain how users may interact with your site. For example, they may view and print pages for personal use but must not reproduce content for commercial purposes without permission. If you allow quoting, specify that they must credit your business.
  • Prohibited Conduct: List activities you prohibit, such as attempting to gain unauthorised access, interfering with the site’s operation or uploading malicious code. Athlex’s terms warn against unlawful use, hacking and introducing malware. Rewriting these rules in positive, plain language – as done in the optimisation above – helps clarity.
  • Intellectual Property: Assert your ownership of the website’s content and branding. Outline what users can and cannot do with your content.
  • Liability and Disclaimers: Limit your liability for errors or interruptions on the site. Clarify that the site’s content is general information, not legal advice. If you offer downloadable materials, explain that users rely on them at their own risk.
  • Links to Third Parties: Include a disclaimer that you are not responsible for the content of external sites. If you allow others to link to your homepage, set conditions for doing so.
  • Governing Law: Specify which jurisdiction’s laws govern the terms and where disputes will be resolved.
  • Changes to Terms: Reserve the right to update the terms and advise users to check back regularly.

It is also important to consider accessibility. Provide the terms in a readable format and ensure they are easy to find – typically in the website footer.

Aligning Privacy Notices and Website Terms

While privacy notices and website terms serve different purposes, they should be consistent. Your terms should reference your privacy notice and cookie policy, and vice versa. Ensure definitions match and that you use the same language across documents. If you update the cookie policy in response to the DUAA, reflect that change in the terms by referring to the updated policy.

Keeping Documents Up to Date

Laws and business practices change. The DUAA introduces new duties, such as stricter cookie consent rules and expanded subject access rights. Keep an eye on guidance from the Information Commissioner’s Office and update your documents as necessary. Use clear effective dates and inform users when significant changes occur. Keeping a revision history in a separate log can help demonstrate accountability if regulators review your compliance.

Practical Tips for SMEs

  1. Use Templates Wisely: Starting with a reputable template can save time but customise it to your business. Make sure the purposes, lawful bases and contact details reflect your operations.
  2. Seek Professional Advice: For complex processing, hiring a data protection consultant or outsourcing your DPO can help you draft documents that meet legal requirements and business needs.
  3. Educate Your Team: Everyone who interacts with customers or data should understand what the privacy notice says. Training ensures consistent messaging and helps staff recognise when to direct people to the notice.
  4. Make It Visible: Link to your privacy notice and terms in the website footer, sign-up forms and anywhere you collect data. Transparency builds trust.
  5. Monitor Feedback: Pay attention to questions or complaints about your privacy notice or terms. If users find something unclear, update it.

If you’re using a template, make sure your GDPR privacy notice matches what you actually do in practice, not what the template guesses.

Conclusion

A clear privacy notice and well-structured website terms are cornerstones of good data protection practice. They help you comply with the UK GDPR, prepare for changes under the DUAA and set expectations for how visitors should use your site. By explaining what data you collect, why you collect it and how people can exercise their rights, you demonstrate respect for privacy. Clear website terms protect your business from misuse and reinforce that your content and services are valuable. Investing time in crafting these documents pays off in greater trust, fewer misunderstandings and reduced legal risk.



Understanding the Data (Use & Access) Act 2025: What UK Businesses Need to Know

5 minutes read
A business professional in a blue jumper reviews data protection documents at a desk with a closed laptop and coffee, representing DUAA 2025 compliance.

Why Was the DUAA Introduced?

The DUAA aims to modernise the UK’s data protection regime, ensuring that individuals have better control over their personal data while enabling organisations to innovate responsibly. It responds to new technologies, data‑driven business models and concerns about transparency. The Act builds on the UK GDPR framework rather than replacing it, so businesses must view it as complementary rather than separate.

Key Changes under the DUAA

1. Increased Fines for Electronic Marketing

The DUAA raises the maximum penalties for breaches of PECR. Companies can now face fines of up to £17.5 million or 4% of their global turnover, whichever is higher. This brings electronic marketing fines in line with those under the UK GDPR. Any business that sends marketing emails, texts or calls should review consent processes and records to ensure compliance.

2. New Rules Around Cookie Consent

The Act introduces stricter requirements for cookie consent under UK GDPR. Companies must ensure that cookie banners are clear and separate from other requests. Pre-ticked boxes and implied consent are not acceptable. People must have a genuine choice and be able to withdraw consent just as easily as they give it. Businesses should audit their cookie practices, update consent tools and keep records of consent.

3. Stronger Powers for the ICO

The Information Commissioner’s Office gains broader authority to compel businesses to provide information, reports and interviews as part of investigations. Failure to cooperate may lead to enforcement action. Businesses should keep thorough records of processing activities and be prepared to demonstrate compliance quickly if asked.

4. Expansion of Subject Access Rights

The DUAA reinforces the right to access personal data, requiring more detailed explanations of how data is used and shared. Organisations must be transparent about data sources and how decisions are made using personal data. This ties in closely with DSARs, making it even more important to have a robust process for responding to data requests.

5. Automated Decision‑Making Controls

The Act introduces new restrictions on automated decision‑making that significantly affects individuals. Businesses must provide human oversight, explain the logic behind decisions and allow individuals to contest them. Sectors using AI and machine learning—such as finance, insurance and recruitment—must ensure their systems meet these requirements.

Practical Steps to Comply

1. Audit Your Marketing Activities

Review how you collect and store consent for marketing communications. Ensure you can demonstrate a lawful basis for all electronic marketing. Update marketing databases to remove contacts without valid consent. For B2B marketing, confirm that you are complying with relevant exemptions and that messaging remains within legal boundaries.

2. Update Cookie Policies and Banners

Conduct a cookie audit to understand what tracking technologies your site uses and why. Update your cookie notice to clearly describe categories, purposes and retention periods. Implement a consent management platform if necessary, ensuring that individuals can easily change their preferences.

3. Strengthen Record‑Keeping

Maintain up‑to‑date records of processing activities, including data flows, legal bases, retention periods and third‑party sharing. If the ICO requests evidence of compliance, having organised records demonstrates accountability and saves time. Regularly review and update your records to reflect changes in processing.

4. Review Automated Decision‑Making Processes

Identify any processes that use algorithms or profiles to make decisions that could significantly affect individuals. Assess the legal basis for using automated decisions and whether human oversight is provided. Update privacy notices to explain these processes and develop procedures to address challenges from individuals.

5. Train Staff

Your employees are the first line of defence against non‑compliance. Provide training on the DUAA, focusing on marketing, cookie consent, data subject rights and automated decision‑making. Raise awareness of increased fines and the importance of cooperation with the ICO.

Impact on SMEs

Some SMEs might assume that new legislation primarily targets large corporations. However, the DUAA applies to any organisation processing personal data, regardless of size. Smaller businesses often have limited resources, making it harder to adapt. Yet the cost of non‑compliance—financial penalties and reputational damage—can be far greater than the cost of putting proper systems in place. SMEs should seek professional advice to interpret the Act and prioritise actions based on the data they handle.

How Athlex Supports Your Compliance

Staying on top of evolving data protection laws can be challenging. Athlex specialises in GDPR and privacy compliance for businesses of all sizes. Our consultants can help you conduct a DUAA readiness assessment, update policies and procedures, and train your staff. We provide practical, jargon‑free advice tailored to your industry, ensuring that you understand your obligations and can implement changes effectively. Whether you need a one‑off consultation or ongoing support through our outsourced DPO service, we make compliance manageable.

Looking Ahead

The DUAA is part of a broader trend toward stronger data governance. Businesses should expect further updates as technology evolves and public expectations of privacy grow. By understanding the DUAA and integrating it into your existing compliance framework, you prepare your business for future changes. Adopting a proactive approach—regular audits, employee training and transparent data practices—will position you as a trustworthy organisation in a competitive market.

Conclusion

The Data (Use & Access) Act 2025 introduces significant changes that businesses cannot ignore. Higher fines for marketing violations, tougher cookie rules, expanded subject rights and increased regulatory powers raise the stakes for data protection. By taking practical steps—auditing marketing activities, updating cookie banners, strengthening record‑keeping, reviewing automated decision processes and training staff—you can meet your obligations and build customer confidence. With professional guidance from Athlex, your business can turn compliance into a competitive advantage and navigate the evolving data protection landscape with confidence.

Sign up to our newsletter to receive updates directly to your inbox. You can also read more about DUUA updates to complaints processes in our blog.