If you're just taking your business online, you'll no doubt have a list of to-dos as long as your arm.
One item than can easily be overlooked is the addition of a privacy policy to your website — though vitally important following the introduction of GDPR (General Data Protection Regulation) throughout Europe (and more recently, UK GDPR, which is explained further down). With these regulations being relatively new, it's easy — especially for startups and small-business owners — to overlook the importance of a coherent privacy policy.
But what exactly are they? Does every small business need one? And what are the repercussions if you fail to include a privacy policy? These are just some of the questions we're going to answer for you in this blog.
When a user visits or registers on a website, they are asked to agree to the terms and conditions laid out by the site's owner. This provides businesses with an opportunity to collect data, individually tailor the user experience and improve their site's overall effectiveness. It also brings with it additional legal considerations.
EU GDPR compliance is required for any business or individual that handles user data, no matter where the website's servers are based and regardless of the size of business. It applies to all websites that offer goods or services to people in the EU, including small businesses and startups.
The definition of 'data collection' is a broad one, covering everything from storing payment and personal details, all the way to including third-party tracking cookies on your site. Names, dates of birth, email addresses, payment and shipping information, phone numbers and bank details are all examples of personal user data (but that list is not exhaustive).
As such, privacy policies are required to comply with GDPR regulation which came into effect in May 2018. The regulation requires that all companies have a clear statement outlining the type of data being collected, what they do with this information, why it is being used, how long it will be stored for and under what conditions, and what third parties (if any) this data will be shared with. Alongside this, a privacy policy will also cover how consent is obtained from customers and what rights they have over this data.
Before the introduction of the EU-wide GDPR in 2018 (and UK GDPR, brought in following Brexit), many businesses took a 'nice to have' approach to privacy policies, but the introduction of this data regulation brought with it the real threat of legal action against site owners who failed to both include and operate in line with their policy.
It should also be noted that anonymous data is treated differently to personal and therefore does not require any specific protections or consent gathering. The caveat to this being that it can be difficult to guarantee any data is truly anonymised, so it is wise to cover such information in your privacy policy.
Also keep in mind that even if you don't collect identifiable data from users, if third parties have access to user data — via APIs, for example — you will, at least in part, be legally responsible for what they do with that data.
Your business could be out of pocket, to the tune of up to £18m or 4% of annual turnover, whichever is greater. For small businesses, the latter possibility would, understandably, usually apply.
Aside from fines, the UK's Information Commissioner's Office (ICO) can also issue a number of other punishments for non-compliance, such as:
The documentation surrounding GDPR rules is long and complex, but the overwhelming majority of cases found to be in breach of the regulation have violated Articles 5, 6 and/or 32:
Personal data must be:
Personal data can only be processed:
Requires data is controlled and processed to implement: “appropriate technical and organisational measures” to secure such personal data.
Ideally, this would be a uniform figure across the board. In reality, the answer is, 'It depends.' As a rule of thumb, the cost will fairly reflect the complexity and detail required. There are a number of factors that could add to the cost of producing a legally adherent privacy policy; unfortunately, there's no shortcut available here.
P.S. If you're interested in more advice on building and growing your small business website, we have more excellent articles on the subject:
Or you can discover even more topics here.
Information correct as Feb 2022.