Does my website need a privacy policy?

Does my website need a privacy policy?

If you're just taking your business online, you'll no doubt have a list of to-dos as long as your arm.

One item that can easily be overlooked is the addition of a privacy policy to your website — though vitally important following the introduction of GDPR (General Data Protection Regulation) throughout Europe and the UK. With these regulations being relatively new, it's easy — especially for startups and small-business owners — to overlook the importance of a coherent privacy policy.

But what exactly are they, and does every small business need one? We’ll deep dive into everything you need to know about privacy policies.

Summary

• The Data Protection Act was put in place to protect people and lay down laws for businesses and organisations that process, collect and store personal data.
• If businesses fail to comply with UK regulations, they could be fined up to £17.5 million.
• Any business that sells goods or services — whether paid for or free — must comply with GDPR.z
• Consumers have the right to make a subject request to find out what personal information an organisation holds about them.

What is a privacy policy?

When users visit or register on a website, they are asked to agree to the terms and conditions laid out by the site's owner. This provides businesses with an opportunity to collect data, individually tailor the user experience and improve their site's overall effectiveness. It also brings with it additional legal considerations.

The Data Protection Act is the UK’s implementation of the ‘General Data Protection Regulation’, also known as GDPR, set out by the European Union. The Data Protection Act 2018 controls how personal information is used by businesses, organisations and the government.

Anyone responsible for using personal data must follow a strict set of principles and make sure that any information collected is:

• Used fairly, lawfully and transparently
• Used for specific, explicit purposes
• Used in a way that is relevant, adequate and limited to only what is necessary
• Accurate and, where necessary, kept up to date
• Kept for no longer than necessary
• Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

Non-sensitive personal data can be:

• Name
• Address
• Age
• Education

Is there stronger legal protection in place for sensitive information?

For certain pieces of information collected, there is stronger legal protection in place. This includes sensitive information on:

• Race
• Ethnic background
• Political opinions
• Religious beliefs
• Trade union membership
• Genetics
• Biometrics (where used for identification)
• Health
• Sexual orientation, or sex life

This sensitive data has to be processed differently and a business will need a lawful basis under Articles 6 & 9 of GDPR to process this data.

What businesses need to comply with privacy policies?

EU GDPR compliance is required for any business or individual that handles user data, no matter where the website's servers are based and regardless of the size of the business. It applies to all websites that offer goods or services — whether paid for or free — to people in the EU, including small businesses and startups.

Are privacy policies a legal requirement?

Before the introduction of the EU-wide GDPR in 2018 (and the UK GDPR, brought in following Brexit), many businesses took a 'nice to have' approach to privacy policies. However, introducing this data regulation brought with it the real threat of legal action against site owners who failed to include and operate in line with their policy.

It should also be noted that anonymous data is treated differently from personal and, therefore, does not require any specific protections or consent gathering. The caveat is that it can be difficult to guarantee any data is truly anonymised, so it is wise to cover such information in your privacy policy.

Also, keep in mind that even if you don't collect identifiable data from users, if third parties have access to user data — via APIs, for example — you will, at least in part, be legally responsible for what they do with that data.

What happens if my business goes without a privacy policy?

Now that the Brexit transition period has ended, there are two versions of GDPR that UK organisations and businesses need to comply with:

• The UK GDPR applies to the processing of UK residents’ personal data.
• The EU GDPR applies to the processing of EU residents' personal data.

If businesses and organisations fail to comply with UK regulations, you could be severely out of pocket, to the tune of up to £17.5 million or 4% of annual global turnover — whichever is greater. The EU GDPR sets a maximum fine of €20 million or 4% of annual global turnover.

Aside from fines, the UK’s Information Commissioner’s Office (ICO) can also issue:

• Assessment notes
• Warnings
• Reprimands
• Enforcement notices
• Penalty notices (administrative fines)

The ICO also states that it “focuses the use of its enforcement powers on cases involving reckless or deliberate harms, and is therefore unlikely to take enforcement action against any organisation genuinely seeking to comply with the provisions of the legislation.” In Layman’s terms, the ICO is looking out for people or groups who are intentionally breaking the rules or being careless about it. If, as a business, you’re genuinely trying your best, then you won’t have to worry so much about them coming after you.

What are businesses usually in breach of?

The documentation surrounding GDPR rules is long and complex, but the overwhelming majority of cases found to be in breach of the regulation have violated Articles 5, 6 and/or 32. But what are they?

Article 5 - Data Processing Principles

Personal data must be:

• Accurate and kept up-to-date
• Stored no longer than necessary
• Processed to ensure appropriate security
• Processed lawfully, fairly and transparently
• Collected only for specific legitimate reasons
• Adequate, relevant and limited to what is necessary

Article 6 - Lawfulness of Processing

Personal data can only be processed:

• For purposes in the public interest
• If the subject (user) has consented
• For legitimate organisational interests
• To protect the data subject’s vital interests
• To meet and comply with contractual and legal obligations

Article 32 - Security of Processing

Article 32 requires data to be controlled and processed to implement “appropriate technical and organisational measures” to secure such personal data.

How much does a privacy policy cost?

Ideally, there would be a uniform figure across the board. However, this isn’t the case.

In reality, the answer is ‘it depends’. As a rule of thumb, the cost will fairly reflect the complexity and detail required. Some places can charge as little as £300, while if you want to enlist the help of a UK data protection lawyer, these prices can run from anywhere between £500 and £5,000.

As with many business investments, you’ll need to balance the risk of a DIY approach against the cost of using a professional.

There are also a number of factors that could add to the cost of producing a legally adherent privacy policy; unfortunately, there's no shortcut available here.

What do you need to include in a privacy policy?

If you’re opting to write your privacy policy yourself or just looking to double-check the correct information, there are some details that always need to be provided and some if and where applicable.

According to the ICO, a privacy policy can include:

1. Business name and contact information

When writing a privacy policy, it’s important to make sure that you use easy-to-understand language with the correct legal terms. The average person will most likely not understand a complicated policy with jargon they can’t wrap their head around.

At the beginning of the document, you should make sure to list your company information, specifically the:

• Business address
• Business name
• Business email address
• Business phone number(s)

This shows that your company is transparent and encourages open communication.

2. Mention the type of information that you’ll be collecting

The term ‘personal data’ is expansive and a lot more complex than you might think.

‘Personal data’ can be described as “the physical, physiological, genetic, mental, commercial, cultural, or social identity’ that is specific to the subject”.

Make sure to use specific terms instead of phrases like “we collect contact information”, as they could refer to a whole matter of details. Instead, it would be best to word it as “we collect information on your telephone number, physical address and email addresses”, if applicable.

3. Explain how and why your website collects data

There are many different ways to collect user information, so you must specify why and how your website collects this data.

This can be collected through:

• Cookies
• Contact forms
• Course registrations
• Email newsletters
• Website analytics like Google Analytics
• Contact forms

Regardless of the reason for collecting this data, customers have the right to know what businesses and organisations are doing with their information.

4. Provide information on how users can opt-out

One of the main goals of GDPR is to give users more control over the information that websites collect about them.

Your privacy policy should describe all the options users have in case they want to revise any of the previously given permissions they’ve set, as they may not want their information collected indefinitely.

This includes:

• The right to request data
• The right to request organisations and businesses delete any acquired information
• The right to review any collected data in full

5. Mention if the data is shared with third-party parties

If you plan on sharing any data with third parties, this must be specified as a disclaimer in the privacy policy. Third parties can include marketing partners, service providers, credit processors and more.

Not disclosing this information can put you at legal risk, and most laws and regulations prioritise transparency.

6. Include how long the data will be stored

According to GDPR laws, businesses and organisations can keep any collected data no longer than necessary for the purpose it was initially obtained.

Since GDPR doesn’t specify a particular timeframe, it can be hard to know how long you’re likely able to store personal data form; however, you should revise this section regularly to make sure that you’re complying.

7. Explain how you’ll protect the personal data

Customers are putting their trust in your business by allowing you to gather their information. So, it’s your responsibility to make sure that that data is protected to ensure there’s no data leakage.

Genetic testing provider 23andMe faces multiple lawsuits in the US following a large-scale data breach in which a hacker leaked millions of customer data, including full names, sex, date of birth, DNA profiles, location and regional details.

However, it’s also important not to be too specific in this section, as malicious hackers will know how to bypass security measures and compromise the integrity of your website.

8. Describe the dispute resolution process

A website privacy policy should describe how the dispute resolution process works should they need to open one up.

Some companies may tend to add this information in their ‘Terms and Conditions’, but, nonetheless, this should sit somewhere on your website where customers are able to access it should they need to.

What are consumers’ rights to access their stored information?

Individuals have the right to ask organisations whether or not they’re using or storing their personal information.

According to the (ICO), individuals can make a subject request to find out:

• What personal information an organisation holds about them
• How they are using it
• Who they are sharing it with
• Where they got the data from

These rights are designed to give individuals greater control over their personal data and to ensure that organisations and institutions handling that data do so responsibly and in compliance with data protection laws.

Why is the right of access important for individuals?

The right of access to personal data is extremely important for individuals, particularly when it centres around the principles of data protection, privacy, and individual rights:

Transparency — It promotes transparency and accountability in data processing. By allowing individuals to access their personal data, they can see how their information is being used, by whom, and for what purposes. This transparency helps build trust between individuals and organisations that handle their data.

Control — It empowers individuals to have control over their own data. In an increasingly digital and data-driven world, individuals should have the ability to influence what happens with their personal information. Access rights allow them to correct inaccuracies, update information, or even request the deletion of their data when it's no longer necessary.

Privacy protection — The right of access is a fundamental aspect of privacy protection. It ensures that individuals can verify the accuracy of their data and confirm that it is being processed lawfully. This is especially crucial in cases where incorrect data or unlawful processing could have serious consequences for individuals.

Compliance with the law — Access rights are a legal requirement in many jurisdictions, including the UK, under the GDPR and Data Protection Act 2018. Compliance with these laws is essential to avoid legal penalties, fines, and reputational damage.

What does Google’s E-E-A-T update mean for privacy policies?

Having a privacy policy on your website helps enhance trust signals and show search engines that you value your users — and it also signifies that you take data compliance seriously. Both of these factors make it clear that your website is a reputable business or organisation, hence impacting your SEO and making you appear higher in search results.

But how does a privacy policy improve your E-E-A-T?

Having a privacy policy can improve your E-E-A-T by:

Experience — Showcases to users that a website is knowledgeable and a potential expert in their field. Google states, “websites that ask for personal information without a privacy policy may be considered low quality.”

Expertise — A well-written privacy policy page can demonstrate a business's or organisation's expertise in data protection laws and regulations.

Authoritativeness — It can help establish your website as an authoritative source of information by providing transparency about how you collect, store and use your customers’ personal information.

Trustworthiness — A privacy policy page can help build trust with users by showcasing that a business or organisation has an official website that follows GDPR laws.

Get in touch with takepayments today

A privacy policy is a vital component of the everyday running of your business, and so are card machines. Whether you decide to opt for portable, countertop or mobile devices, our card machines for small businesses can help make payments more manageable.

To find out more about any of our payment solutions, or discuss your options in more detail, contact our dedicated experts today! Or, check out our blog to learn more about takepayments' technology.

John Clark

Product Manager