• Startups
  • May 01, 2022

Do I need a privacy policy on my website?

article

The short answer is yes, all businesses that process personal data must have a detailed privacy policy. In most cases, a privacy policy will sit on your website. 

This article is designed to help you understand what a privacy policy is - and the terms and conditions it needs to contain to ensure compliance with the UK General Data Protection Regulations (GDPR) / Data Protection Act 2018.

What is a privacy policy?

Article 5(1) of the GDPR provides the six principles of the UK GDPR, stating that personal data must be processed:

  1. Lawfully, fairly, and in a transparent manner
  2. For specified, explicit, and legitimate purposes only
  3. In a manner that is adequate, relevant, and limited to what is necessary
  4. Accurately and where required, kept up-to-date
  5. Regarding storage, data should only be kept as long as necessary
  6. In a way that protects it from unlawful or unauthorised processing, loss, damage, or destruction

Article 5(2) provides that controllers and processors must also show accountability when it comes to UK GDPR compliance. 

This involves actions such as keeping precise records and implementing a ‘data protection by design and default’ methodology. This means carrying out data protection impact assessments in situations where the use of personal data could compromise the interests of data subjects.

Your business’s privacy policy is part of complying with the first principle. It sets out why and how you collect and process personal data, how long it is kept, and what happens to it when it is no longer required. 

Ensuring your privacy policy is readily available to anyone who deals with your business is part of complying with the transparency principle.

 

Free Privacy Policy Template

 

What information should a privacy policy contain?

The Information Commissioners Office (ICO) provides a comprehensive overview of the information required in a privacy policy. Your policy must contain:

  • Your business’s name and contact details
  • Your representative’s name and contact details
  • For what purpose your business processes personal data
  • The lawful basis for the processing, i.e:
    • Consent
    • Contractual obligation
    • Legal obligation
    • Vital interest
    • Performance of a public task
    • Legitimate interest
  • The categories of personal data your business obtains
  • The recipients or categories of recipients of the personal data
  • If personal data is transferred to any third countries or international organisations
  • How long personal data is kept.
  • People's rights concerning the processing of their data.
  • The right to withdraw consent
  • The right to complain to a supervisory authority
  • Where the personal data was sourced from
  • The details of whether people are under a statutory or contractual obligation to provide the personal data
  • The details of the existence of automated decision-making, including profiling
  • How a person can seek recourse if your business fails to comply with the privacy policy and the UK GDPR and/or Data Protection Act 2018

You must make sure that your privacy policy is drafted in simple, plain language. Attempting to hide certain things in the ‘small print’ is unlikely to go down well with the UK supervising authority, the ICO.

Do customers read privacy policies?

People are becoming increasingly concerned with how technology companies and other businesses collect and use their data. Unfortunately, most people do not read privacy policies, however, the way you draft the policy and highlight its existence can encourage consumers to engage. 

Using simple language, adding a pop up to remind consumers to review your organisation’s privacy policy, and giving people real choices in real-time can help foster consumer trust.

Is a website's privacy policy legally binding?

It is a legal requirement that any organisation that processes personal data must have a privacy policy. This is the case even if your business does not have a website. If you are no a website owner you will need to provide people with a copy of your privacy policy at the time you collect their personal information.

Although there are several privacy policy templates available online, you are likely to feel more confident in terms of compliance with the UK GDPR if a solicitor drafts the document for you. 

Yes, you may know that your business collects personal data, but are you aware of how it is processed and why. Or where it is stored and what happens to it once it is no longer needed? Furthermore, to demonstrate accountability, your business operations need to reflect what is recorded in the privacy policy. Therefore, it is important to base the policy on reality.

Get legal advice from LawBite

At Lawbite, our data protection solicitors have a wealth of experience in discussing what is required in small business privacy policies and drafting bespoke documents that protect the interests of your customers, suppliers, partners and your organisation.

If you would like to speak to one of our team, you can book a free 15 minute consultation. Just click ‘Get started’ below.

 

Get started

 

Additional resources

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.



Related Articles

Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By LawBite Team
  • May 01, 2022
What are Articles of Association?

Setting up a limited company is one of the most common routes entrepreneurs take when they start their business. If you have decided to take this r...


Startups
blog image
  • By LawBite Team
  • April 13, 2022
Understanding Conflict of Interest (COI)

One thing our lawyers consistently emphasise to our clients is the importance of having well-considered and expertly drafted documentation, for exa...


Startups
blog image
  • By LawBite Team
  • April 13, 2022
What is the difference between RFI, RFQ, RFT and RFP?

No matter what type of business you have, you will need to find and cultivate strong relationships with suppliers and manufacturers in order to mee...


Startups

LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk to a Lawyer

Book a Call
defend a claim

Essentials Plan

Join for Free