Key Considerations for Writing Your Business’ Privacy Policy

Rachel Jones , 10th October 2023

Written By:

Emily Shingler

Associate

Darwin Gray

___________________________________________________________________________________________________________________________

In a data-driven world, companies are forced to take more care over individuals’ personal data. If your business collects personal information from individuals, you are required to hold and publish a privacy policy explaining not only what information you are collecting and why – but also how you will look after it.

The UK’s data protection legislative framework consists of the UK GDPR (the retained version of the EU’s GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations – this article will refer to these together as “UK Data Protection Laws”.

What is a privacy policy?

A privacy policy is a statement which informs individuals whether any of their personal data is going to be collected by a business and if so, how and why that information is used and stored. Privacy policies are necessary for any businesses which will be collecting personal data from individuals (including about their staff). They are also required for any website and certain mobile apps which collect personal data from visitors to their sites.

Information can be collected in any number of ways – for example it might be collected from a customer giving you their information directly, for example when placing an order, or giving you their email address when subscribing to a newsletter. If you have a website, the website might automatically collect information about visitors to that website. Have a look at our quick guide to website privacy policies for more information.

Providing a privacy policy means complying with transparency principles within UK Data Protection Laws; privacy legislation has developed significantly in recent years, with the main focus on enabling individuals to make informed decisions on how businesses can use their personal data.

All information provided must be concise, transparent, easily accessible and given in plain language.

What is personal data?

Personal data is defined by UK Data Protection Laws as “means any information relating to an identified or identifiable natural person … who can be identified, directly or indirectly, in particular by reference to an identifier such as a name…”.

To summarise, if the information can identify a living person, then it is personal data.

In most cases, it will be easy to determine which pieces of information you collect is personal data. In times where it is less clear, more consideration should be given as to whether UK Data Protection Laws apply.

What does it need to include?

All relevant information about you/your company: this includes contact details and registration information where applicable. If you have a Data Protection Officer, this person must be specified in the policy.
What information and data are being collected: For example, the purchase of goods from a website might include the collection of:
- Identity data: names, marital status, date of birth.
- Contact data: delivery addresses, telephone numbers, email addresses.
- Financial data: bank account or payment card details.
Why you are collecting this data: The ‘why’ is especially important to comply with UK Data Protection Laws, which requires any company or business who collects personal data to do so “on a lawful basis”. There are 6 lawful bases for processing personal data – if you can’t reply on a lawful basis, then you cannot collect the data. Most companies will be able to rely on the contractual relationship between them and website visitors as the lawful basis. However, businesses should be mindful that they are only collecting the information they actually need for the purpose of any such contract. If a business collects extra data which is not strictly needed, that would be unlawful.
- Note also that if you are collecting sensitive personal data (for example, medical information) then the rules are especially stringent, especially around the storage and protection of such information.
Where does the information go once it is collected? Does it stay with your company or do you share this information with anyone else? Visitors to your website need this information to make an informed decision about whether they share their personal data with you or not. If their personal data leaves the UK, they may not want this to be shared. Note that if you are sharing personal data outside of the UK, you must have specific clauses in your privacy policy to enable you to do this lawfully.
- You may also need to consider the wider use of customer’s data. For example, do you operate a warehouse that prints delivery forms using the information collected on your website? If so, this information needs to be included in the privacy policy. When printing out a customer’s personal data, it is harder to control as a hard copy and is more vulnerable.
How long will your store the information for? All businesses should have a policy as to how long information is kept before it is destroyed. There might be regulatory reasons why some information needs to be kept for a longer period – this should all be documented in the business’ internal records.
Rights to make a complaint: whilst a lot of companies prefer to deal with any data protection complaints without the regulator’s involvement, your privacy policy must not be worded to the effect that a complaint must be made to you before the Information Commissioner’s Office (ICO). For example: “you must raise any complaint with us, before doing so with the ICO” is not compliant with UK Data Protection Laws.