Data is a valuable asset for any company. It helps businesses streamline their operations and learn more about customers’ needs so that they can better serve their target audience. Over the last couple of years, data protection has become a hot topic of discussion not only in the legal sector but across all industries as users are becoming more cautious about sharing their data and organisations are more careful when handling data.

With the United Kingdom’s withdrawal from the European Union (EU), there has been some uncertainty concerning what data regulations will continue to apply to UK businesses and those who monitor the behaviour of UK citizen or supply goods and services to them. There are currently three important pieces of legislation to observe:

1. UK GDPR, which is the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR);
2. Data Protection Act 2018 (DPA), which establishes the basis for data protection law in the UK; and
3. UK Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which regulates electronic communications and sets out users’ privacy rights relating to such communications.

Each legislation has been amended several times. You should always check the latest version and ensure that your data processing is in line with the updated law. If your business operates within the European Union or provides goods or services to European citizens, then you may be required to comply with both the UK GDPR and the EU GDPR. Non-compliance with either legislation may result in severe fines.

Adhering to the data protection rules is not just a mandatory legal requirement. It also enables you to be transparent about your company’s data processing practices and earns your customers’ trust. In this blogpost, we discuss why you need a privacy policy and what it should contain.

What is a privacy policy?

The UK GDPR sets out 7 key principles relating to processing of personal data. The Information Commissioner’s Office (ICO) recommends that these principles should lie at the heart of your approach to processing personal data.

The first principle – also known as the Lawfulness, Fairness and Transparency Principle – is that any business or organisation (whatever their size) that processes personal data about individuals for any business or other non-household purposes, must do so “lawfully, fairly and in a transparent manner”. In short, this means that you must:

1. have a lawful basis for collecting and processing personal data and must not do anything unlawful with that data;
2. handle the personal data for the purpose it was given and not use it in any way that may have an unjustified adverse effect on the data subjects; and
3. be clear, open, and honest from the outset about who you are and how and why you use the personal data shared with you.

The seventh principle under the UK GDPR – also known as the Accountability Principle – requires data controllers to demonstrate compliance with the data protection principles of the UK GDPR and holds them accountable for non-compliance. However, this principle must not be misconstrued. Both data controllers and data processors are obliged to comply with the UK GDPR principles and any applicable data protection rules.

To meet the requirements of the data protection principles of the UK GDPR (particularly the obligation to be transparent), people should be given information about how their data is collected and processed at the time they share it. Businesses set out such information in a document known as a privacy policy, privacy notice, privacy information or fair processing information.

A well-drafted privacy policy also provides a framework for ensuring that the company meets its obligations under the key legislations mentioned above, namely; the UK GDP, the DPA and the PECR (if applicable).

Do you need a privacy policy?

The short answer is – yes. In our data-driven world, most business operations involve collecting and processing personal data on a daily basis. You may be using the names and addresses provided by your customers for delivery of goods or you may be handling employee information for payroll reasons. Almost every transaction and interaction with any organisation (whether taking place online, over the phone or on the doorstep) requires individuals to provide some personal data. So you can be pretty certain that your business must have a privacy policy.

There is a misconception that only businesses which operate a website are required to have a privacy policy. This is incorrect. You should provide your privacy policy at the time you collect individuals’ data or before. For many businesses, this is when customers access their websites, so they display a copy of their privacy policy there. A privacy policy relating to employees’ information is often given to them with the employment contract for execution.

What should a privacy policy include?

Your privacy policy must explain how your business collects, uses, shares, secures, and processes personal data. This information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The rule of thumb is that a child should be able to understand your privacy policy and easily access it.

A compliant privacy policy should contain the following information:

• The identity and contact details of your organisation (or your representative);
• The identity and contact details of your data protection officer;
• The purposes of the processing;
• The lawful basis for processing (which may include consent, contractual obligation, or legitimate interest);
• The type of personal data that is collected and its source;
• Details of data sharing with any third parties, including transfer of any personal data to a third country or an international organisation;
• The period for which the personal data of the individual will be stored;
• The rights of the individuals, comprising of the right to:
  • request access to their personal data;
  • request erasure of their personal data;
  • withdraw their consent; and
  • complaint to a supervisory authority.
• The existence of automated decision-making, including profiling; and
• Whether individuals are under a statutory or contractual obligation to provide personal data.

Concluding thoughts

Privacy policies are fundamental legal documents for any organisations. With recent growing emphasis on the importance of privacy, failing to comply with data protection regulations may result in severe fines and the loss of your business. Our data protection professionals have years of expertise and are continually up to date on regulatory and industry developments. Get in touch with one our legal experts if you need assistance developing a legally compliant privacy policy.

Our insights, articles and guides do not, and are not intended to, constitute legal advice or be an exhaustive review of all legal developments. Although every effort is made to ensure that the information provided in this article is accurate as of the publication date, please be aware that this is area of law may be subject to change. Please seek legal advice before applying the information provided to any specific circumstances, transactions or legal issues.