Privacy Policy for Website

*Updated for GDPR*

If you run a website, you should have a privacy policy for the website, which tells users of the website what information you collect about them, and what you do with that information. You should do this if you hold any information about users. Even if you don’t collect any information, your users will want to know that, so you should tell them. Having a privacy policy will help you build trust with your users. It also shows that you are complying with legislation called the General Data Protection Regulation (GDPR) which comes into force as of May 25th 2018, replacing the Data Protection Act 1998 (or DPA), which you must do if you collect any information about website users. The GDPR sets what you can and can’t do with a person’s information. The GDPR applies even if you only hold a person’s information and don’t do anything else with it. Anything that you do with a person’s information is known as processing and has to be done in accordance with the GDPR.

Download now for free*

*Free 1-week Trial of LawBite access allows you to download 3 documents of your choice plus full access to our platform editing tools.

Unlimited document access

Get unlimited document downloads when you sign up to LawBite Access for just £19.50/month - includes use of editing and e-signing tools and unlimited free consultations with our lawyers on separate matters.

Sign up for Access

Not sure what you need?

Our lawyers can help with selecting the right documents or drafting them to your requirements. Call us on 020 7148 1066 or set up an enquiry below

Free Lawyer consultation

Step-by-step guide

Let’s walk you through how to go about drafting a privacy policy for website, something you need if you’re the owner of a website. A privacy policy sets out how you intend to collect personal data about people, what you are going to use that data for and what rights people have over the data you hold about them. Under the GDPR you must comply with the law on personal data or face a (potentially heavy) fine, so this is important stuff.

  1. Firstly, introduce the document and explain what the document is for – telling users what information you collect about them on the website and what you do with that information. Include your contact details as well.

  2. Then, include all the necessary information about the company, which is known in the GDPR as the Data Controller. If the company has a nominated representative for the purposes of the GDPR, you must include their name here.

  3. The next section should outline what information the company may collect. You should make sure that this covers all the information that you could collect.

  4. Then, explain that the website makes use of cookies – these are files that can collect some information about users. This section should then include a link to the cookie policy.

  5. It is important to describe how the collected information will be used. Again make sure that you include all the uses of the information. You can’t do anything else with a user’s information unless you’ve told the user about it.

  6. In the next section, you should set out where the data is stored. If a user’s information is transferred outside the European Economic Area (EEA), you should tell users this.

  7. Explain how a user’s information might be disclosed.

  8. You must include a section about the user’s rights in relation to their data. Make sure that you include contact details here.

  9. You need to say that you will not be responsible for any links to other sites provided on your site or posted by other users on the website.

  10. Lastly, make it clear that the Privacy Policy may be subject to change and that it is worth checking them quite regularly. You may also need to contact users if you make big changes to the policy and what you do with their data.

Remember, if you come unstuck at any point, our LawBriefs are here to help. Visit our legal advice page to submit an online enquiry or call us on 020 7148 1066.

Best of luck in your SME journey.

Document drafted by:

Rachel McKinney LawBrief

Rachel McKinney is a barrister with approximately 17 years’ experience accumulated in both private practice and inhouse. She has advised businesses ranging from small business owners to large multinationals across a number of sectors, financial services, pensions and the construction industry. She provides clear, succinct and commercially focused advice on the legal risk a client may face and how to mitigate against any such risk.

She advises upon a broad range of commercial issues including compliance with General Data Protection Regulation (GDPR), dispute resolution and the proactive management of litigation and drafting and negotiating a full range of commercial agreements.

As an experienced litigator, Rachel utilises her skills to identify legal issues quickly and to provide clear and pragmatic commercial solutions from the outset that clients might avoid incurring unnecessary costs. Working with SMEs clients it is vital to provide cost effective, pragmatic and commercially focused advice. She has successfully maximised profits and minimised financial exposure for SME clients.

In her own words… “I find working with SMEs truly rewarding. As a lawyer I can make a real difference to the business in the delivery of cost effective and commercially focused advice. I really enjoy working with business owners and becoming immersed in their business to understand their future aims and objectives. It gives me an opportunity to assist in the development of the business by providing commercial solutions to minimise legal risk. It is the best part of being a lawyer.“