iDEA Inspiring Digital Enterprise Awards

Creating an online Privacy Policy

Privacy Polices are a legal requirement of any organisation handling data. For most companies, the most efficient way to notify data subjects of your policy is through your company website but privacy policies may also be provided by email or hard copy.

Under GDPR, business are obliged to notify individuals of what, how and why their personal data will be used and processed before collecting any personal data. If your organisation collects personal data on individuals, it needs a privacy policy on the company website.

How should I write my Privacy Policy?

Your policy needs to written using clear and plain language. It has to cover all the data collection aspects of your website, including analytics and tracking for example.

What are the key points to ensure my Privacy Policy is GDPR compliant?

Before collecting any personal data, the following points should be covered in your Privacy Policy:

  • Your company information, including full name, registered office details and business address
  • Identity and contact details of the data controller and, where applicable, of the controller’s representative
  • What information you are collecting and why
  • How consent will be obtained
  • How you will be using the information collected
  • How long the personal data will be kept for
  • Explanation for how complaints can be made and to whom
  • The contact details of the Data Protection Officer, where applicable
  • Information about export of the collected data

Where must the Privacy Policy be displayed?

Your policy needs to be displayed in a prominent position on your website on every page - it should not be hidden away in sections such as ‘Contact Us’, for example.

your privacy policy has to cover all the data collection aspects of your website

What happens if my company’s policy is not compliant?

Regulatory authorities can take enforcement action against organisations whose privacy policy is not compliant. This might be conducting an audit or accessing your premises to ascertain how you are using individual’s personal data.

Where your policy is found to be non-compliant, the ICO, or your relevant authority, can make an order for you to bring your policy in line with GDPR. Lastly, proportionate fines can be issued.

Make sure you document any decisions you make on what to include and not include in your privacy policy so you can show your policy has carefully considered the personal data your business collects.

regulatory authorities can take enforcement action against organisations whose privacy policy is not compliant

Take a look at the Privacy Policy examples below taken from ico.org.uk. For each of them, decide whether they are a good example or a bad example of a Privacy Policy

Whoops - you got two wrong, you'll have to start again...

Is this a good or bad example of a Privacy Policy?

This is a good example!

It has simple language, and is well presented. There is a clear opportunity for the subject to agree to marketing and a space to give consensus for postal marketing by other companies.

That's not right. This is a good example.

It has simple language, and is well presented. There is a clear opportunity for the subject to agree to marketing and a space to give consensus for postal marketing by other companies.

If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

Is this a good or bad example of a Privacy Policy?

This is a bad example!

The language is confusing and the size of the font makes it difficult to read. The parts about asking for consent are generalised and it is bad practice to seek one consent for several type of processing; e-marketing, for example requires a specific opt-in consent, for example.

That's not right. This is a bad example.

The language is confusing and the size of the font makes it difficult to read. The parts about asking for consent are generalised and it is bad practice to seek one consent for several type of processing; e-marketing, for example requires a specific opt-in consent, for example.

If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

Is this a good or bad example of a Privacy Policy?

This is a bad example!

It implies that is mandatory to give this information when in this case it is voluntary.

That's not right. This is a bad example.

It implies that is mandatory to give this information when in this case it is voluntary.

If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

Is this a good or bad example of a Privacy Policy?

This is a good example!

It gives a clear explanation of the outcome of choosing not to provide the requested information.

That's not right. This is a good example.

It gives a clear explanation of the outcome of choosing not to provide the requested information.

If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

Is this a good or bad example of a Privacy Policy?

This is a bad example!

It uses unnecessarily complicated language and the title uses an acronym that may not be familiar to the user.

That's not right. This is a bad example.

It uses unnecessarily complicated language and the title uses an acronym that may not be familiar to the user.

If you get one more wrong, you’ll have to start again. If you need a recap, scroll to the top of the page to read again about different types of roles involved around GDPR.

Is this a good or bad example of a Privacy Policy?

This is a good example!

It contains clear information about the identity of the organisation and clear links to relevant additional information. It also contains clear straight-forward guidance on how to access personal information with helpful privacy advice.

That's not right. This is a good example.

It contains clear information about the identity of the organisation and clear links to relevant additional information. It also contains clear straight-forward guidance on how to access personal information with helpful privacy advice.

Well done!

Next Step