If you're just taking your business online, you'll no doubt have a list of to-dos as long as your arm.
But what exactly are they, and does every small business need one? We’ll deep dive into everything you need to know about privacy policies.
When users visit or register on a website, they are asked to agree to the terms and conditions laid out by the site's owner. This provides businesses with an opportunity to collect data, individually tailor the user experience and improve their site's overall effectiveness. It also brings with it additional legal considerations.
The Data Protection Act is the UK’s implementation of the ‘General Data Protection Regulation’, also known as GDPR, set out by the European Union. The Data Protection Act 2018 controls how personal information is used by businesses, organisations and the government.
Anyone responsible for using personal data must follow a strict set of principles and make sure that any information collected is:
Non-sensitive personal data can be:
For certain pieces of information collected, there is stronger legal protection in place. This includes sensitive information on:
This sensitive data has to be processed differently and a business will need a lawful basis under Articles 6 & 9 of GDPR to process this data.
EU GDPR compliance is required for any business or individual that handles user data, no matter where the website's servers are based and regardless of the size of the business. It applies to all websites that offer goods or services — whether paid for or free — to people in the EU, including small businesses and startups.
Before the introduction of the EU-wide GDPR in 2018 (and the UK GDPR, brought in following Brexit), many businesses took a 'nice to have' approach to privacy policies. However, introducing this data regulation brought with it the real threat of legal action against site owners who failed to include and operate in line with their policy.
Also, keep in mind that even if you don't collect identifiable data from users, if third parties have access to user data — via APIs, for example — you will, at least in part, be legally responsible for what they do with that data.
Now that the Brexit transition period has ended, there are two versions of GDPR that UK organisations and businesses need to comply with:
If businesses and organisations fail to comply with UK regulations, you could be severely out of pocket, to the tune of up to £17.5 million or 4% of annual global turnover — whichever is greater. The EU GDPR sets a maximum fine of €20 million or 4% of annual global turnover.
Aside from fines, the UK’s Information Commissioner’s Office (ICO) can also issue:
The ICO also states that it “focuses the use of its enforcement powers on cases involving reckless or deliberate harms, and is therefore unlikely to take enforcement action against any organisation genuinely seeking to comply with the provisions of the legislation.” In Layman’s terms, the ICO is looking out for people or groups who are intentionally breaking the rules or being careless about it. If, as a business, you’re genuinely trying your best, then you won’t have to worry so much about them coming after you.
The documentation surrounding GDPR rules is long and complex, but the overwhelming majority of cases found to be in breach of the regulation have violated Articles 5, 6 and/or 32. But what are they?
Personal data must be:
Personal data can only be processed:
Article 32 requires data to be controlled and processed to implement “appropriate technical and organisational measures” to secure such personal data.
Ideally, there would be a uniform figure across the board. However, this isn’t the case.
In reality, the answer is ‘it depends’. As a rule of thumb, the cost will fairly reflect the complexity and detail required. Some places can charge as little as £300, while if you want to enlist the help of a UK data protection lawyer, these prices can run from anywhere between £500 and £5,000.
As with many business investments, you’ll need to balance the risk of a DIY approach against the cost of using a professional.
At the beginning of the document, you should make sure to list your company information, specifically the:
This shows that your company is transparent and encourages open communication.
The term ‘personal data’ is expansive and a lot more complex than you might think.
‘Personal data’ can be described as “the physical, physiological, genetic, mental, commercial, cultural, or social identity’ that is specific to the subject”.
Make sure to use specific terms instead of phrases like “we collect contact information”, as they could refer to a whole matter of details. Instead, it would be best to word it as “we collect information on your telephone number, physical address and email addresses”, if applicable.
There are many different ways to collect user information, so you must specify why and how your website collects this data.
This can be collected through:
Regardless of the reason for collecting this data, customers have the right to know what businesses and organisations are doing with their information.
One of the main goals of GDPR is to give users more control over the information that websites collect about them.
Not disclosing this information can put you at legal risk, and most laws and regulations prioritise transparency.
According to GDPR laws, businesses and organisations can keep any collected data no longer than necessary for the purpose it was initially obtained.
Since GDPR doesn’t specify a particular timeframe, it can be hard to know how long you’re likely able to store personal data form; however, you should revise this section regularly to make sure that you’re complying.
Customers are putting their trust in your business by allowing you to gather their information. So, it’s your responsibility to make sure that that data is protected to ensure there’s no data leakage.
Genetic testing provider 23andMe faces multiple lawsuits in the US following a large-scale data breach in which a hacker leaked millions of customer data, including full names, sex, date of birth, DNA profiles, location and regional details.
However, it’s also important not to be too specific in this section, as malicious hackers will know how to bypass security measures and compromise the integrity of your website.
Some companies may tend to add this information in their ‘Terms and Conditions’, but, nonetheless, this should sit somewhere on your website where customers are able to access it should they need to.
Individuals have the right to ask organisations whether or not they’re using or storing their personal information.
According to the (ICO), individuals can make a subject request to find out:
These rights are designed to give individuals greater control over their personal data and to ensure that organisations and institutions handling that data do so responsibly and in compliance with data protection laws.
The right of access to personal data is extremely important for individuals, particularly when it centres around the principles of data protection, privacy, and individual rights:
Transparency — It promotes transparency and accountability in data processing. By allowing individuals to access their personal data, they can see how their information is being used, by whom, and for what purposes. This transparency helps build trust between individuals and organisations that handle their data.
Control — It empowers individuals to have control over their own data. In an increasingly digital and data-driven world, individuals should have the ability to influence what happens with their personal information. Access rights allow them to correct inaccuracies, update information, or even request the deletion of their data when it's no longer necessary.
Privacy protection — The right of access is a fundamental aspect of privacy protection. It ensures that individuals can verify the accuracy of their data and confirm that it is being processed lawfully. This is especially crucial in cases where incorrect data or unlawful processing could have serious consequences for individuals.
Compliance with the law — Access rights are a legal requirement in many jurisdictions, including the UK, under the GDPR and Data Protection Act 2018. Compliance with these laws is essential to avoid legal penalties, fines, and reputational damage.
Authoritativeness — It can help establish your website as an authoritative source of information by providing transparency about how you collect, store and use your customers’ personal information.