Starting a business can be stressful enough without the additional pressure of providing a comprehensive privacy policy. This pressure only intensifies when endlessly searching through the internet only to find complex and confusing examples and guides. The objective for this article is to provide you with a starting point in creating a clear and easily understandable privacy policy.

If your company obtains personal and private data from customers you are legally required to implement a privacy policy on your website (and if you do not have a website, don’t think you are exempt, as you will have to communicate this information in a reasonable way to your customers anyway). For any of you law geeks who are interested, the statute that governs data protection in the UK is the Data Protection Act 2018. 

Why does my business require a privacy policy though? 

The data and analytics you receive from customers is often crucial to your business success as it allows you to make calculate predictions, as well as better help your customers depending on the goods or services you provide. But that information is private and confidential. In the same way you wouldn’t give your name, phone number and address to a random guy in a suit on  Oxford Street, why should customers give you their personal information? 

Implementing a privacy policy and providing a clear and concise explanation of how their personal information will be handled creates trust that you are not just some dodgy guy asking for you personal information. In more professional terms, it prevents businesses from taking unfair advantage of and using personal data provided by consumers without their permission. However, it is also beneficial to you, as customers are more likely to provide you with that information. 

Briefly, a privacy policy sets out how a company or a business uses personal information. This includes how it is organised, disclosed, stored and who can access this information. A good privacy contract will include why the company or business is collecting personal data and what data is being collected. If the company shares this collected data with any third-party this should also be disclosed - most importantly how this personal and private data will be protected. 

Before slapping on an episode of Suits and getting your feather pen out to start writing the privacy policy, its often helpful to set out the lifecycle of how how data is collected, used and stored. Ideally, this is written in chronological order, to allow customers to easily digest the information. The chronology considers what, when and how the information is stored and collected.

Our members at The Clinic have taken the time to go through several privacy policies so you don’t have to, and have outlined below the most common and important areas that you should include to create a comprehensive privacy policy.

What information will you company be collecting

It's important to remember there are differences between the types of data that can be collected. Your company may be collecting personal information or private information, and yes, there is a difference. 

Personal information is data that can be used to identify you specifically. This is the information you are asking your customer to provide; this could be information such as their name, address, and phone number. These can often be easily explained in the privacy policy without problems. 

Private information often requires additional regulation as it involves private and confidential data such as medical data. 

A insight developed from The Clinic’s research is to let the customers know clearly what information is going to be collected by them so they can make the informed decision as to continue or not. 

What will you with the collected information

Seriously, you haven’t even offered me dinner, and you’ve taken my personal information without me even knowing what you are going to use it for. You’ve said what data you are collecting but make it clear what the data is going to be used for, and make sure that is all you are using it for! Are you going to be sharing that personal information with a third party? If so, you must include it in the privacy policy. 

How the data is stored safely 

There is no doubt that you have appropriate safeguards in safely storing the personal information so it doesn’t get in the wrong hands, but you need to communicate that to you consumers! If you will be taking payment details you are responsible for protecting that information, the last thing you want is to explain to customers that their details have been stolen by hackers!

State how you have received this personal information.

This can be information logged onto the website by the individual, or information obtained from third-party applications. If received indirectly, it is important to state the source it was received from.

State whether you share this information, and if so, who with?

As aforementioned if you share collected information with a third party you must inform your consumers of this. The main goal of the GDPR (General Data Protection Regulation) is the disclosure of the use of people’s data - so let your clients know.

State why this information is necessary to collect

The collection of some personal information is required by the GDPR, and it is important to communicate with your client what this information is, and why it is necessary. These are pieces of information that you as a company are legally obliged before continuing with the service, so ensure to note relevant sections of the GDPR. There might also be other reasons why you may be collecting the information, but the general principle is to make this information known to your consumer.

Data protection rights 

It is important to highlight to your customers their data protection rights. These rights are outlined by the GDPR. To present it to clients in a more digestible way, it may be useful to bullet point each right with a small explanation as to what it is. Examples include the right to rectification or the right to erasure. 

Right to lodge a formal complaint and the procedure

You should already have a complaints procedure, which will make this section much easier to fulfil. The next step is once again, letting your customers know of this procedure. This makes it easy for client to file a complaint (hoping that doesn’t happen). However, it also allows you to mitigate suits or actions by lawyers because there is no complaint procedure in place. Some implementations include contact details of the company or the sector of the company dealing with complaints. This may be a good step to make your policy more easily digestible - it lets you show your clients that a procedure exists in the event that these rights may need to be exercisable.

Notice any recurring points? 

Yes, it was surprising to us as well in researching privacy policies, but the main takeaway is that there isn’t anything too complex or new to include. In essence, a privacy policy should state what and how information is collected and used, and outline these procedures which are already in place, in an easy to understand way. 

Hopefully this article has provided you with a starting point, but remember, you should always consult a legal professional, as they will be able to advise you specifically considering the context of your particular business!

DISCLAIMER

This article has been written by law students for the sole purpose of providing informative insight. The information in this article is intended for educational purposes only and does not constitute legal advice. You should seek independent legal advice before relying on any of the information provided in this article.