How to update your website Privacy Policy for the GDPR
Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information.
How to update your Privacy Policy for GDPR
All businesses, small or large, will have to add or expand their Privacy Policy to comply with the GDPR.
For most small businesses to comply with the GDPR your Privacy Policy must include all of the following information (see below).
According to the GDPR, the information you provide to people must be "concise, transparent, intelligible, easily accessible, and it must use clear and plain language". This is actually advantageous - it means that if you write a Privacy Policy you can understand, rather than in legalese, you'll be within the spirit of the law.
What to add to your Privacy Policy to comply with the GDPR
- Your lawful basis for processing customer data - this will almost always be "consent" for small businesses
- The purpose of your data processing - i.e. what you are using the data for
- State your legal, registered company name, and your contact details, including the contact details of your data protection officer (if applicable)
- State any third parties you share data with, and why you share data with them - you should also link to their Privacy Policies here to show they also follow the GDPR
- State how long you will keep their personal data
- State the rights available to individuals in respect of the use of their date, namely:
- Their right to erasure
- Their right of access
- Their right to rectification
- Their right to restrict processing
- Their right to data portability
- Their right to object
- Their rights related to automated decision-making, including profiling
- Their right to withdraw their consent
- Their right to lodge a complaint with a supervisory authority
Much of this can be boilerplate, and I provide an example below. Pay attention to the text surrounded by curly brackets {} - it needs replacing with your information.
Disclaimer: the below example is provided for informational purposes. No warranty, either expressed or implied, is provided as to its legality or fit for purpose.
GDPR Privacy Notice Example
Your Personal Information
{registered company name} ("us", "we", or "our") operates the {website address} website (the "Service").
This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.
What personal information we need
We only collect basic personal information about you which does not include any sensitive types of information or location-based information. This does, however, include your name, address, telephone number and email address.
Why we need your personal information
We need to know your basic personal information in order to provide you with {the service you provide}. We will not collect any personal data from you we do not need to provide and oversee this service.
What we do with your personal information
All the personal information we process is processed by our staff in the UK. For the purposes of website hosting and storage this information is located on servers within the European Union.
{No third parties have access to your personal data unless the law allows them to do so.}
OR
{We may provide paid products and services within the Service. In that case, we use third-party services for payment processing (e.g. payment processors).
We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
The payment processors we work with are:
Stripe
Their Privacy Policy can be viewed at https://stripe.com/us/privacy
You should also mention any couriers, credit checking agencies, sub-contractors etc.}
How long we keep your personal information
We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. If your information is used for marketing purposes it will be kept until you notify us that you no longer wish to receive this information.
What are your rights?
{company name} aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.
Whenever possible, you can update your Personal Data directly within your account settings section. If you are unable to change your Personal Data, please contact us to make the required changes.
If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please contact us.
In certain circumstances, you have the right:
- To access and receive a copy of the Personal Data we hold about you
- To rectify any Personal Data held about you that is inaccurate
- To request the deletion of Personal Data held about you
- You have the right to data portability for the information you provide to {company name}. You can request a copy of your Personal Data in a commonly used electronic format so that you can manage and move it.
- You have the right, at any time, to object to us using your personal information
{We do not perform any automated decision making or profiling with your personal information.}
Please will ask you to verify your identity before responding to such requests.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO) by calling 0303 123 1113.
{Our Data Protection Officer is {employee name} and you can contact them at {employee email address}.
Security Of Data
The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
Further Help
If you are struggling to bring the various requirements together, I recommend the use of a good quality online GDPR Privacy Policy generator.
The ICO has a dedicated page with examples of good and bad privacy policies to help guide you.
Occasionally there are special requirements that should go into your Privacy Policy, but these only apply to the minority of businesses. If your business falls into any of these categories you will need to expand your Privacy Policy and may need to consult a specialist:
- If you obtain personal data from other sources
- If "consent" isn't the lawful basis for processing personal data
- If you transfer the data to be stored outside of the EU
- You provide services for children
What is the difference between “Terms & Conditions” & a “Privacy Policy”?
In general, the GDPR will only affect your Privacy Policy, but in case you are confused as to the purpose of these two seemingly similar documents I'll quickly lay out the distinction:
A privacy policy is a detailed breakdown of when your website and company collects, uses, stores, transmits and destroys information from your customers.
The terms and conditions of your website, also called the terms of use, are the general rules of using your website. These go beyond a promise of how you will handle privacy matters. In the case of an online store, the terms and conditions determine what will happen in the event of a sale. Essentially, it enables you to structure your return policy, shipping deadlines, and any other details that are essential to the transaction. Beyond e-commerce they allow you to set the rules of your site, be it establishing guidelines for proper user behaviour on your discussion forum, or signing up for a free trial of your online app.