How to write a GDPR compliant privacy policy

Last updated: 30 July 2021

Estimated reading time: 5 minutes

Member View

Under GDPR you are obliged to give individuals information about how you use their personal data, and you must do this in a clear, jargon-free way. Your privacy policy should be designed with this in mind. A well-drafted privacy policy will go a long way toward ensuring that you obtain the fully informed consent of individuals to the processing of their data.

In this article we will look at privacy policies in detail and suggest ways in which you can ensure your organisation’s policy is GDPR compliant and fit for purpose. If you need help drafting a privacy policy for your business, contact one of our data protection solicitors.

We'll consider:

  1. What is a privacy policy?
  2. How to make sure your privacy policy is GDPR compliant
  3. Is your privacy policy displayed clearly?
  4. Is a privacy policy required by law?
  5. Why is a privacy policy important?
  6. Can’t you just copy someone else’s privacy policy?

What is a privacy policy?

A privacy policy sets out details of the data you hold on individuals, how you use it and why you use it. It usually appears on your website or through a link from emails or other forms of correspondence sent by your organisation.

In the context of GDPR there is a greater onus on companies – as data controllers and processors – to provide information about privacy in a concise, straightforward, and transparent manner.

GDPR is all about giving individuals greater control over their personal data. Under Articles 13 and 14 of the regulations, individuals have a right to be informed about how their data is used – your privacy policy should be designed to enable your clients and customers to exercise this right.

How to make sure your privacy policy is GDPR compliant

Making sure that your policy meets all the requirements of the new data protection landscape means following guidance provided by the Information Commissioner and paying careful attention to the content of the regulations themselves.

Your privacy policy should clearly state:

  • Your organisation’s address and contact details.
  • Who is the data controller and how he or she can be contacted.
  • The type of personal data you are collecting.
  • Why you are collecting the data and the lawful basis for doing so.
  • Whether you intend to share the data.
  • Whether the data will be transferred outside Europe.
  • The choices individuals have about how their data is used and how they can exercise those choices.
  • Data retention periods.
  • How individuals can exercise their rights of deletion and correction of the data and how they can withdraw their consent to you processing their data.
  • The nature of your complaints process and clear information in how an individual can contact the ICO.
  • How individuals will be notified of any change in the privacy policy.

This privacy information should be provided to the individual at the time you collect the data.

Is your privacy policy displayed clearly?

We mentioned above the emphasis GDPR places on making information about personal data clear, concise, and straightforward. Even if you provide all of the privacy information required by the rules your privacy policy won’t be truly GDPR compliant if it is not easily accessible. This means:

  • Displaying the policy prominently on your website and giving details of where it can be found on company stationery and related materials. If you intend the policy to appear on smaller mobile devices you must ensure the wording appears clearly in the reduced screen space.
  • Keeping the wording jargon-free. It should be easily understood by those with no background in data protection law and should be set out in an easily digestible way, for example with short paragraphs and clear headings.
  • Where appropriate, you can layer the delivery of the policy (for example providing a summary followed by a link to the full policy wording).

Is a privacy policy required by law?

Articles 13 and 14 of the GDPR set out the privacy information you must provide individuals when you have obtained their personal data. The articles enshrine the right to be informed which is fundamental to the whole operation of GDPR. How you provide this information is up to you – but it is certainly a legal requirement, and a data breach could lead to stringent fines and other regulatory intervention. A privacy policy is probably the most effective way to ensure you ensure protection of the right to be informed.

You should remember that a compliant and comprehensive privacy policy isn’t just in the interests of individuals. It will also benefit your organisation because it will encourage consumers to trust you with their personal information.

Why is a privacy policy important?

Implementing a GDPR compliant privacy policy means you are being honest and open with individuals about how you use their data. You are also empowering those individuals to exert control over how their data is used.

Privacy policies matter in a number of ways:

  • The individuals whose data you are processing are normally your customers or clients. From a business perspective it’s crucial to keep them on side. Explaining how you use their data in a frank and easily digestible way will engender their trust and willingness to provide you with data – data that could be critical to the success of your business.
  • If you process data in a way that’s not transparent you can increase the risk of misuse of the data. This could potentially lead to a data breach (and regulatory intervention) or instances of discrimination or prejudice that could leave your organisation exposed to damaging legal claims. Both regulatory intervention and legal action could significantly harm your commercial reputation.
  • The exercise of drafting and keeping a privacy policy under review will help you deal with GDPR compliance more broadly. The background work required for an effective privacy policy – data audits for example – will force you to assess and question the way your organisation handles the data it holds.

Can’t you just copy someone else’s privacy policy?

There is certainly a temptation with certain areas of GDPR compliance, including the provision of privacy information to use online templates or simply copy the policy of another organisation. While it may be possible to use a template privacy policy if you are engaged in only basic, low volume transactions we wouldn’t encourage their use in most cases. Here’s why:

  • An effective privacy policy requires careful thought – only you know what information you are processing and the type of individual whose data you are collecting.
  • You will probably have to carry out some form of data audit before finalising your privacy policy to determine how you use the data you hold, how long you hold onto it and who you share it with. Only with these details can you sensibly frame your privacy policy.
  • The data audit should also address issues such as the lawful basis you rely on for processing the data and what rights individuals have in relation to the type of data you hold. Again these details will inform you policy in a way that a template or copied policy won’t be able to.
Back to table of contents

What next?

Our data protection solicitors can offer practical advice on how to approach privacy policies and draft tailor-made policies for your organisation. For more advice on GDPR call us on 0800 689 1700, email us at enquiries@hjsolicitors.co.uk or fill out the short form below with your enquiry.

  • Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our privacy policy.

  • This field is for validation purposes and should be left unchanged.

A national law firm

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

Floor 2, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
10 Fitzroy Square, London, W1T 5HP
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP
Like what you're reading?

Like what you're reading? Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe