How to draft a privacy policy

Article 13 of the UK GDPR states that at the time you collect personal data from individuals you must provide them with certain information.  The usual way of providing this information is via a privacy notice (also called a ‘privacy policy’ or, in GDPR-speak, a ‘fair processing notice’), which is made available to the individual when their personal data is collected, often via a website link like this one.  The privacy notice must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).

Where you are not collecting the personal data directly from the individual, Article 14 requires you to provide the individual with the same information as under Article 13 “within a reasonable period after obtaining the personal data, but at the latest within one month”.

Information audit

The first step is to carry out an information audit (also called a ‘data mapping exercise’) so that you understand:

  • What personal data your organisation collects, including from customers, suppliers, employees, visitors, job applicants etc.
  • How the personal data is collected.
  • Where the personal data is stored, and what technical and organisational measures are in place to ensure security.
  • What your organisation does with the personal data.
  • Whom the personal data is shared with, including data storage and SaaS providers.
  • Whether the personal data is transferred to locations outside the UK, and if so where.
  • Whether the personal data includes any ‘special category data’, and if so whether any additional safeguards have been put in place.
  • How long the personal data is kept.

Privacy notice

The next step is then to create the privacy notice by documenting the output of your information audit.  The format and content of an organisation’s privacy notice will of course vary from organisation to organisation, but for many businesses the following list should be a useful start:

  1. Name of and contact details for the organisation(s) collecting the personal data, i.e. the identity of the controller providing the privacy notice.
  2. The types of personal data the controller collects, and how the personal data is collected.
  3. Whether any of the personal data constitutes special category data.
  4. What the controller intends to do with the personal data.
  5. The lawful basis for processing the personal data.
  6. Whom the controller shares the personal data with, and why.
  7. Whether the controller transfers any personal data outside the UK, and if so details of the relevant transfer mechanism.
  8. How long the controller keeps the personal data.
  9. How the controller keeps the personal data secure.
  10. If the individual is required by law or by contract to provide the personal data, consequences of not providing it.
  11. Whether the controller uses automated decision-making, including profiling, and if so details of logic involved and consequences of processing for the individual.
  12. What rights the individual has in relation to their personal data.

Final thoughts…

  • When drafting a privacy notice, it’s tempting to take a broad, catch-all approach – “we will or may use your information for some or all of the following purposes…”, followed by a long list covering pretty much everything you can think of.  Although strictly speaking accurate, the broad brush approach is likely to struggle to satisfy the “concise, transparent, intelligible” requirement.  Put yourself in the data subject’s shoes:  having read the privacy notice, would you understand how your personal information will in fact be used, stored, shared, etc?
  • Because of the amount of information that you may need (or want) to include, consider adopting a ‘layered’ approach for the privacy notice. This is where you have a high-level, top-layer notice with the key privacy information, with links enabling the data subject to click through a second layer with a bit more detail, and then from the second layer there may be further links to a third layer with the full detail.  This layered approach may be particularly useful for mobile or smart devices with small screens.
  • There is no requirement for all the privacy notice content to be provided to the data subject in one go, and it may make sense for you to provide the data subject with privacy information at the time that they are actually providing you with their personal data – so-called ‘just-in-time’ notices.
  • As your organisation evolves through the use of new technologies and/or you offer of new products and services, it’s likely that personal data will be collected and used in different ways.  Put in place a process which ensures that your privacy notice is updated in line with these changes, and then for the updated notice to be communicated to your data subjects.

Receive email updates

Subscribe to updates on topics relevant to you. We won’t use your email address for any other purpose, and you can of course unsubscribe at any time.

Which emails would you like to receive:

I consent to my personal information being used to send me updates on the topics that I have selected.