|CookieConsent||https://www.clc-uk.org/||Stores the user's cookie consent state for the current domain||1 Year||HTTP|
|_ga||https://www.clc-uk.org/||Registers a unique ID that is used to generate statistical data on how the visitor uses the website.||1 Year||HTTP|
|_gat||https://www.clc-uk.org/||Used by Google Analytics to throttle request rate||Session||HTTP|
|_gid||https://www.clc-uk.org/||Registers a unique ID that is used to generate statistical data on how the visitor uses the website.||Session||HTTP|
|collect||google-analytics.com||Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.||Session||Pixel|
|GPS||youtube.com||Registers a unique ID on mobile devices to enable tracking based on geographical GPS location.||Session||HTTP|
|VISITOR_INFO1_LIVE||youtube.com||Tries to estimate the users' bandwidth on pages with integrated YouTube videos.||1 Year||HTTP|
|YSC||youtube.com||Registers a unique ID to keep statistics of what videos from YouTube the user has seen.||Session||HTTP|
How to approach GDPR: GDPR is principles based (Article 5 GDPR) and takes a risk-based approach to data protection. This allows practices to decide for themselves what steps are appropriate and proportionate to comply with GDPR, meaning that the approach large practices need to take to get ready for GDPR is likely to be different to the approach smaller firms and sole-practitioners need to take.
Staff should be provided with relevant training so that they understand how GDPR may impact their day to day working and what additional support and resources they may need from the organisation to be compliant.
It is also important to talk to any third parties that you share personal data with. This may include IT and case management providers to ensure they are ready for the changes and to determine any steps needed to update systems and processes.
Consideration should be given to implementing systems to verify individuals’ ages and to obtain parental or guardian consent for any processing activity in relation to children.
A data protection policy, a data breach notification procedure, data protection impact assessments and consent forms will also help to demonstrate compliance. The scale of the policies and procedures should be appropriate to the size and complexity of the practice.
Existing privacy notice should be reviewed and updated to ensure individuals are provided with the appropriate information, for example, the lawful basis for processing the data, data retention periods and individuals’ right to complain to the Information Commissioner’s Office (ICO) if they think there is a problem in the way their data is being handled.
Existing consents obtained under the DPA 1998 do not automatically need updating if they meet the GDPR standard of being ‘specific, granular, clear, prominent, not automatically opted-in, properly documented and easily withdrawn’.
Any personal data breach which could impact an individual or cause harm must be reported to the ICO without undue delay, and no later than 72 hours after detection. If the breach is likely to result in a high risk of adversely affecting individuals’ rights, practices must also inform those individuals without undue delay.