The short answer is yes, all businesses that process personal data must have a detailed privacy policy. In most cases, a privacy policy will sit on your website.
This article is designed to help you understand what a privacy policy is - and the terms and conditions it needs to contain to ensure compliance with the UK General Data Protection Regulations (GDPR) / Data Protection Act 2018.
What is a privacy policy?
Article 5(1) of the GDPR provides the six principles of the UK GDPR, stating that personal data must be processed:
- Lawfully, fairly, and in a transparent manner
- For specified, explicit, and legitimate purposes only
- In a manner that is adequate, relevant, and limited to what is necessary
- Accurately and where required, kept up-to-date
- Regarding storage, data should only be kept as long as necessary
- In a way that protects it from unlawful or unauthorised processing, loss, damage, or destruction
Article 5(2) provides that controllers and processors must also show accountability when it comes to UK GDPR compliance.
This involves actions such as keeping precise records and implementing a ‘data protection by design and default’ methodology. This means carrying out data protection impact assessments in situations where the use of personal data could compromise the interests of data subjects.
Your business’s privacy policy is part of complying with the first principle. It sets out why and how you collect and process personal data, how long it is kept, and what happens to it when it is no longer required.
Ensuring your privacy policy is readily available to anyone who deals with your business is part of complying with the transparency principle.
What information should a privacy policy contain?
The Information Commissioners Office (ICO) provides a comprehensive overview of the information required in a privacy policy. Your policy must contain:
- Your business’s name and contact details
- Your representative’s name and contact details
- For what purpose your business processes personal data
- The lawful basis for the processing, i.e:
-
- Consent
- Contractual obligation
- Legal obligation
- Vital interest
- Performance of a public task
- Legitimate interest
- The categories of personal data your business obtains
- The recipients or categories of recipients of the personal data
- If personal data is transferred to any third countries or international organisations
- How long personal data is kept.
- People's rights concerning the processing of their data.
- The right to withdraw consent
- The right to complain to a supervisory authority
- Where the personal data was sourced from
- The details of whether people are under a statutory or contractual obligation to provide the personal data
- The details of the existence of automated decision-making, including profiling
- How a person can seek recourse if your business fails to comply with the privacy policy and the UK GDPR and/or Data Protection Act 2018
You must make sure that your privacy policy is drafted in simple, plain language. Attempting to hide certain things in the ‘small print’ is unlikely to go down well with the UK supervising authority, the ICO.
Do customers read privacy policies?
People are becoming increasingly concerned with how technology companies and other businesses collect and use their data. Unfortunately, most people do not read privacy policies, however, the way you draft the policy and highlight its existence can encourage consumers to engage.
Using simple language, adding a pop up to remind consumers to review your organisation’s privacy policy, and giving people real choices in real-time can help foster consumer trust.
Is a website's privacy policy legally binding?
It is a legal requirement that any organisation that processes personal data must have a privacy policy. This is the case even if your business does not have a website. If you are no a website owner you will need to provide people with a copy of your privacy policy at the time you collect their personal information.
Although there are several privacy policy templates available online, you are likely to feel more confident in terms of compliance with the UK GDPR if a solicitor drafts the document for you.
Yes, you may know that your business collects personal data, but are you aware of how it is processed and why. Or where it is stored and what happens to it once it is no longer needed? Furthermore, to demonstrate accountability, your business operations need to reflect what is recorded in the privacy policy. Therefore, it is important to base the policy on reality.
Get legal advice from LawBite
At Lawbite, our data protection solicitors have a wealth of experience in discussing what is required in small business privacy policies and drafting bespoke documents that protect the interests of your customers, suppliers, partners and your organisation.
If you would like to speak to one of our team, you can book a free 15 minute consultation. Just click ‘Get started’ below.
