Privacy
Stay informed about online privacy best practices, data protection strategies, and how to build trust with your website visitors. Explore topics like data minimisation, user rights management, transparent data collection practices, and the evolving landscape of digital privacy across Europe, the US, and beyond.
What Is UK GDPR? The Post-Brexit Data Protection Rules Your Website Must Follow
UK GDPR is the United Kingdom's version of the General Data Protection Regulation, retained in domestic law after Brexit. It works alongside the Data Protection Act 2018 and PECR to regulate how organisations collect, store and use personal data belonging to people in England, Scotland, Wales and Northern Ireland.
What Is the LGPD? A Practical Guide to Brazil's Data Protection Law
Brazil's LGPD (Lei Geral de Protecao de Dados) regulates how personal data is collected and processed for anyone located in Brazil. It applies regardless of where your business is based, covers cookies and online tracking, and carries fines of up to 2% of annual revenue in Brazil.
Records of Processing Activities: The GDPR Compliance Checklist You're Probably Missing
A Record of Processing Activities (ROPA) is the document most organisations need under GDPR Article 30 but few get right. The Irish DPC's 2022 sweep found that the majority of organisations it audited had non-compliant records. Here is what your ROPA must contain, why the 250-employee exemption rarely applies, and how to build one that holds up to regulatory scrutiny.
Automated Decision-Making and Profiling: User Rights Under Article 22
Article 22 of the GDPR restricts decisions made solely by automated processing when they produce legal or similarly significant effects on individuals. Website owners using profiling cookies, credit scoring, or algorithmic personalisation need to understand when this provision applies and what safeguards are required.
GDPR and Cookies: Special Categories of Data You Might Be Collecting Without Knowing
Article 9 of the General Data Protection Regulation (GDPR) places strict limits on collecting sensitive information like health data, political opinions, and sexual orientation. Many website owners accidentally process this special category data through standard analytics and marketing cookies.
Legitimate Interest as a Legal Basis: When Can You Skip Consent?
Legitimate interest is the most flexible of the six GDPR legal bases, but it is also the most misunderstood. This guide explains the three-part test you must pass, where legitimate interest works in practice, and why it rarely applies to cookies and tracking technologies.
Handling Data Breaches: The 72-Hour Notification Rule Under GDPR Article 33
GDPR Article 33 requires data controllers to notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it. The clock starts ticking from awareness, not from when the breach occurred - and getting the notification wrong can be just as costly as missing the deadline entirely.
Cross-Border Data Transfers After GDPR: Adequacy Decisions, Safeguards, and What They Mean for Your Website
GDPR restricts the transfer of personal data outside the EEA unless the receiving country offers equivalent protection or specific safeguards are in place. With record fines now reaching into the hundreds of millions, getting cross-border transfers right has become one of the most consequential compliance tasks for any website that uses third-party services hosted abroad.
When Do You Need a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment is mandatory under GDPR whenever processing is likely to result in a high risk to individuals. Article 35 sets out three automatic triggers, and the EDPB has published nine criteria to help you decide whether your processing qualifies. Getting this wrong can lead to enforcement action and fines of up to 2% of global turnover.