Writing a user-friendly privacy policy

In summary, a privacy policy sets out who you are, how you will collect, use and store personal data and how a customer/contact can control that use of their personal data.

The law requires that you display a clear link to your privacy policy on your website, at all points of online data collection. Your privacy policy is your opportunity to build customer confidence and trust and make them feel good about doing online business with you.

A good privacy policy is easy to find, easy to read and explains all the web visitor needs to know about your approach to handling the personal data they supply you. It also serves as a promise to your visitors and customers that you will act according to the statements laid out in the policy. So be sure not to promise what you can’t (or won’t) deliver!

Below is an outline of the content you should include in your privacy policy to ensure it is user-friendly and regulation compliant:

  • State what data you collect, e.g.

    • name and job title
    • contact information including email address
    • demographic information such as postcode, preferences and interests, transactional data
  • Explain what you do with personal data – and what you do NOT do.
  • State the physical address of the Data Controller.
  • List out your group companies, where applicable.
  • Explain how the personal data you hold is handled and processed.
  • State your policy on the use of cookies, ie how you use them and why.
  • Your policy on transfer of data overseas (i.e if you don’t do it, then state this).
  • Subject access arrangements – how can a customer/contact gain access to the personal data you hold on them.
  • Data security guarantees – ie the physical, electronic and business procedures in place to safeguard and secure the information you collect.
  • Links to other sites – ie where your privacy policy ends, e.g. “such sites are not governed by this privacy statement”.

Definitions


Personal data

Personal data is defined as information about a living, identifiable individual – identifiable either from that data, or from other information which is likely to come into the possession of the Data Controller. It includes an expression of opinion about the individual and any indication of intention in respect of the individual.

Definitions


Data Controller

The Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.