As the number of data breaches have increased over the years, it's unsurprising to see that people are now more protective of their privacy than ever before. There's also a growing awareness of the importance of controlling your personal data, especially with the advent of GDPR (General Data Protection Regulation) and other data protection policies.
However, you should remember that this is your business, and that the data you collect is unique to you. Therefore you should edit and tweak this template to make sure you cover all the needs of your business, and ensure that any visitors to your website have all the information they need about how you collect, use, store and process any data you gather.
Simply put, if you have a website that:
- Collects user data through a service like Google Analytics;
- Uses contact forms to collect personal data;
- Asks users to subscribe to email newsletters or other communications and updates,
What is personal data?
Personal data is information that information that can be used to identify any living individual. Examples of personal data include:
- ID numbers (like your passport or National Insurance number)
- Email address
- Home address
- IP address
- Medical data
- Location data (such as the GPS data on your mobile phone)
- Cookie IDs (more on these later)
There are also other categories of personal data covered under the GDPR legislation such as political and religious beliefs, sexual orientation or racial and ethnic origin.
Have a cookie
It seems that you can't go anywhere on the web without a website asking you if you're OK with cookies. Rather than the tasty treat, this refers to a website that leaves data (cookies) on a user's computer.
These cookies help the website remember certain data about the user, making it easier and faster for them to log in when returning. They can also remember what items were in a user's shopping cart on an online marketplace or track browsing history.
- What cookies are and if they are active on your site
- What user data your cookies track
- The legitimate purpose for tracking this data
- What happens to this data and where it gets sent
Should a lawyer write it?
How GDPR affects you
General Data Protection Regulation (GDPR) came into force in 2018. Widely considered to be the world's strongest data protection legislation, it is a privacy and security law that was drafted by the European Union, but applies to businesses around the world, as long as they deal with data related to people living in the EU.
This means that UK businesses are required to follow the regulations, even post-Brexit. After the launch of GDPR the UK created the Data Protection Act (2018), replacing the Data Protection Act of 1998.
In the UK, the Information Commissioner's Office (ICO) can bring criminal proceedings where non-compliance with privacy laws have been found. Website owners can be fined up to £5000 in the Magistrates Court, and this fine can hit an unlimited amount if the case is tried on indictment and heard by the Crown Court.
Any business that falls foul of GDPR legislation leaves themselves open to eye-watering fines. A company can be fined up to €20 million or 4% of global revenue (whichever is higher). Data subjects can also sue for damages, so it's vital that your privacy and data policies are up to scratch.
- Concise, easy to understand and transparent
- Easy to access
- Free to access (e.g not behind a paywall)
- Written in clear, easy-to-understand language
Before you even start, it's important to remember that the language should be kept clear and simple. It’s not just what you say but how you say it. Now isn’t the time to confuse people with technical, overly complicated language. They need to know what you’re doing with their data and have the right to be told simply and clearly.
Here's an example of unclear phrasing from the official EU GDPR guidelines:
- “We may use your personal data to offer personalised services” (as it is unclear what the “personalisation” entails).
which the guide suggests you could improve by saying:
- “We will keep a record of the articles on our website that you have clicked on and use that information to target advertising on this website to you that is relevant to your interests, which we have identified based on articles you have read” (it is clear what the personalisation entails and how the interests attributed to the data subject have been identified).
Your nominated data controller
A data controller is the person who decides how and why personal data is processed. This is different to a data processor, who is responsible for processing personal data on the data controller's behalf and Data Protection Officer, who ensures that businesses apply the laws protecting peoples' personal data.
According to Article 13 (1)(a) of GDPR, you need to give information on "the identity and the contact details of the controller and, where applicable, of the controller's representative".
This means you need to give the name and contact information of your data controller. Their full name and email will do.
Legally, not every business has to have a Data Protection Officer, but if you do have one, make sure that you provide their contact details as well.
Who you are
It may seem obvious, but people need to know exactly who you are, and how to contact you and your company.
- The company name
- Phone number
- Email address
If you're based outside of the EU and have a representative, add their contact details here as well.
The type of information you collect
The kind of information you collect and process will vary depending on the kind of business you have. Some will only need emails for newsletters, while e-commerce companies will need a range of financial data.
You must include all the data that your company collects, stores and processes, and be as specific as possible. For example, if you're an e-commerce company, telling your customers that you're collecting "financial information" is a little vague. Be clear about what you're using and why. For example, you could say that you're collecting credit card information for payment purposes at the checkout.
The legal basis of processing
Be clear on the purpose behind using people's personal data. If you're using it for marketing or for processing orders, then say so.
How long data will be stored
You can't keep hold of customer data forever. Apart from clogging up your storage, GDPR legislation says that you can only keep personal data for as long as the legal basis for processing is applicable.
Are you sharing personal data?
If you are, be explicit. If another company processes data on your behalf then write it here. You don't have to name every company involved, but you can share the names of categories that these companies fall under.
If data is being processed by third-party services, or going outside of the EU, say so.
Data subject rights
- The right to be informed. You need to keep people informed about what data you're collecting, what you intend to do with it and why. You also need to inform people about how long you will keep hold of their personal data and who it will be shared with.
- The right of rectification. If a company holds inaccurate personal data on an individual, then they have the right to ask the company to correct that data.
- The right to be forgotten. People can ask that a company erases their personal data. This is usually under certain circumstances, for example if the personal data is no longer necessary for the purpose which the company originally collected or processed it for.
- The right of portability. People can ask that their personal data is transferred to another organisation or service.
- The right to restrict processing. Individuals can restrict or limit how their personal data is used.
- The right to object. If an individual is unhappy with how any of their personal data is being processed, they have the right to object.
- Rights in relation to automated decision making and profiling. Article 22 (1) of GDPR says that “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” If an individual believes that their data is being processed unlawfully, then they can ask businesses for a copy of their automated processing activities.
Do you link to external sites?
It's worth mentioning that you have no control over these other sites, reminding people to check their individual privacy policies for their own protection.
If you've only just launched your business, you're probably not thinking about what would happen if you should sell or lose your business. It's good to be prepared for the future and any eventuality, so use this section to tell people what will happen to their personal data if you should sell up or go bankrupt.
Right to complain
Hopefully no one will ever want to make a complaint about you and how you handle data, but none of us can predict the future.
If an individual wants to complain, show that you're willing to help them. Give them the details to contact you and the ICO. Once again this shows that you care about your customers' data and want to abide by the rules.
Changes to policy
Join us in creating the new age of accounting.
Simple language, simple software, so that you can spend less time dealing with admin and more time focusing on what really matters.