Wed 06 / 10 / 21
How to write a good privacy policy
What makes a good privacy policy? It's a legal requirement under UK GDPR, but it can be hard to know where to start. Sofia Carroll shares her framework to writing a privacy policy for your website, what you need to think about, and where to put it.
By Sofia Carroll of
A privacy policy is your way of telling your clients how you use their personal data. You need one not just because it is a requirement under the UK GDPR, but also because being honest about what you do with personal data inspires trusts in your customers. Here are some tips how to do this right.
Why do I need a privacy policy?
Under the UK GDPR, people have the right to be informed. This means that they need to know how and why you use their personal data - often best achieved by having a privacy policy on your website.
There’s certain information you need to have available – it can be called ‘privacy information’, a ‘privacy statement’, or ‘data protection policy’ – but they all mean the same thing.
A privacy policy can also help you think about how you use data more broadly; you’ll have to explain it in simple, layman’s terms. Being honest about it supports the principle of transparency, which is key under data protection legislation.
What makes a good privacy policy?
What a good privacy policy looks like will depend on what you use someone’s personal data for, but there are some elements that are easy to get right. Here are a few starting points:
Don’t use legal jargon
A privacy policy isn’t a contract that needs to include legal terminology to be proper - but it does need to be easy to read so people using your website can understand exactly what will happen to their data.
Think about your audience
This follows from making sure you don’t use legal jargon – a privacy policy has to be understandable, and in a language accessible to your customers. As an example, if you use children’s personal data, you’ll want your privacy information to be much simpler compared to if you were working with adults.
Make it easy to find
Your privacy policy needs to be in a prominent place. Having it included in your general terms and conditions, or linked from a page that people might not visit doesn’t make it prominent.
Think about the layout
Follow general recommendations for good web content - break it up into sections, use clear headings and bullet points, and include links to your cookie policy and related articles.
How do I write my privacy policy?
Have a think about the points below – all of this information needs to be included in your policy, so it’s a good framework to get started:
- Who you are and how you can be contacted
- Why you use personal data and include all purposes
- What your lawful basis for processing the data is
- How long you will keep data for
- What rights people have
- How people can complain to an authority
- Who you share data with and where it goes internationally may also be relevant
Working with colleagues from different areas who are able to explain why and how they use certain personal data can help you explain these purposes. And, if you have a record of processing activities, you can use this as a way to structure the information you include in your privacy policy.
If you find there’s too much to include in one go, you can adopt a layered approach. You can provide some privacy information at the point of personal data collection (for example, a short blurb where your contact form is), which includes a link to a more detailed explanation (your full privacy policy).
Sofia Carroll is a data protection consultant.
If you want to contribute to the Chamber blog, contact us on hannah@brightonchamber.co.uk