top of page

PRIVACY POLICY

  1. Conduct a Data Audit: Before writing, map out what personal data you collect, how you collect it (e.g., forms, cookies, third parties like Google Analytics), why you collect it, where it is stored, who it is shared with, and how long you retain it.

  2. Determine Your Lawful Basis: For each type of data processing, you must identify and state one of the six valid lawful bases under UK GDPR (e.g., user consent, contractual obligation, legitimate interests).

  3. Use Plain Language: Avoid legal jargon and complex terminology. The language should be simple and understandable for your intended audience, including children if your site is aimed at them.

  4. Draft the Content: Include specific sections addressing the following points:

    • Your Contact Details: The name and contact details of your organisation (the data controller) and your Data Protection Officer (DPO), if you have one.

    • Types of Data Collected: Clearly list the categories of personal data you collect (e.g., name, email, IP address, browsing activity).

    • Purpose and Legal Basis: Explain the specific reasons for processing the data and the corresponding lawful basis for each purpose.

    • Data Sharing: Disclose if you share data with any third parties (e.g., payment processors, analytics vendors), who they are, and why.

    • International Transfers: If personal data is transferred outside the UK, explain which safeguards are in place to ensure it is protected.

    • Data Retention: State how long you will store the data or the criteria used to determine the retention period.

    • User Rights: Inform users of their rights under the UK GDPR, including the right to access, rectify, erase, restrict processing of, and object to their data, as well as the right to data portability.

    • How to Exercise Rights and Complain: Provide clear instructions on how users can exercise their rights and how to lodge a complaint with you or the Information Commissioner's Office (ICO).

    • Cookies and Tracking: Include details about the cookies and tracking technologies used on your site, their purpose, the data they collect, and how users can manage their preferences. You may link this to a separate cookie policy.

    • Security Measures: Briefly describe the technical and organisational measures you have in place to protect user data.

    • Children's Privacy: State if you knowingly collect data from children and, if so, your procedures for obtaining parental consent (required for children under 13 for online services).

    • Policy Updates: Include the effective date and a statement that the policy may be updated, and how users will be notified of significant changes. 

Tools and Best Practices

  • Use a Generator/Template: To ensure all legal requirements are met, consider using a privacy policy generator or a reliable template. The ICO offers a privacy notice generator for customer and supplier information.

  • Seek Legal Advice: Privacy law is complex; it is advisable to seek legal counsel to tailor the policy to your specific business operations and ensure full compliance.

  • Placement: The policy should be easily accessible, for example, linked in your website's footer and at relevant data collection points (e.g., sign-up forms, checkout pages).

  • Regular Review: Review and update your privacy policy at least annually or whenever there are changes to your data processing activities or relevant laws. 

​

I

bottom of page