It’s fair to say that running a business with a website used to be a simpler prospect than it is today.
UK data protection law now requires you to publish a privacy policy on your website that explains to website visitors how you use their data. Larger businesses will have legal experts who will write their privacy policy for them, through either an in-house lawyer or someone external that they hire to write up the policy.
For SMEs with smaller teams and budgets, though, it can be tricky to know how to craft a privacy policy.
The good news is that a privacy policy can be created without the necessity to pay a lawyer, all you need to do is ensure the policy includes all of the required information, to avoid any legal issues.
As well as fulfilling data protection requirements, having a privacy policy has several benefits, such as:
- Builds trust with website users
- Looks professional
- Gives people peace of mind
- Fulfills third-party requirements (if you use a third-party service such as Google Analytics)
How to write a privacy policy
If you are going to create your website’s privacy policy yourself, using a template will help to ensure you have included everything that is required.
Reading some privacy policies that similar businesses have created and displayed on their website will also help you to understand what should be included. Remember that they may have missed something out that your business needs to include, so don’t just rewrite someone else’s privacy policy.
Writing your privacy policy
These are the main sections you will need to include:
Your contact details
Within the policy, you should include your legal business name and contact details such as an address, telephone number, and email address.
Type of personal information collected
You should list the types of personal information that you collect, such as name, IP address, address, DOB, contact info, etc. The types of information you collect will usually depend on the type of business you are in.
How you get the information and why you have it
You should clearly explain the processes and methods used to gather their information and also explain why you use it.
How personal information is stored
If you are storing any personal information, you need to provide details about how you store it and what security measures you use to ensure that their data is protected.
Data protection rights
The policy should also explain their data protection rights, giving instructions on how they can opt out of collecting and sharing information. You should also share details of how they can unsubscribe from their mailing list.
How to complain
List your complaints process, such as writing to your address or emailing a complaints email address. If you are a business that is regulated, you should also include details of the complaints process that the regulators have in place if the complainant is not satisfied with your response.
These are the key elements to include within your privacy policy but the content should be tailored to your business and the ways that you use data. Some businesses might not collect much data and therefore their privacy policy can be quite basic, while other companies might be collecting, using, and sharing lots of data and require a more comprehensive privacy policy.
Additional support for creating a privacy policy
Many small businesses appoint a person to have the main responsibility for data protection management. You should make sure that this person receives the latest data protection training to ensure that they have the knowledge they need to keep your business compliant.
Bob’s Business offers several online GDPR courses that cover the key aspects of data protection responsibilities and guidance on processes such as creating a privacy policy.
Find out more about Bob’s Business data protection courses.