Skip to main content

7 Oct 2016

What should I include in my Privacy Policy?

By: Nadine Ishani

The ICO have recently released updated guidance on what to include in your privacy notices - we run through the key points here.

Reading time: 5 mins

The Information Commissioners Office have just released updated guidance about what to include in your privacy notice or privacy policy. The guidance has been written with the Data Protection Act and the upcoming changes in mind so it's worth a read. The code relates to how data which identifies users is collected and used.

At present, the expectation is that the UK will leave the EU sometime in 2019. The EU General Data Protection Regulation (GDPR) is due to come into effect in 2018, to it is important to keep an eye on what changes are upcoming so you can work out how your organisation will tackle them

The main idea behind creating a privacy policy is that you are being transparent about what data you are collecting about a person, who you are sharing it with and how you are using it. This gives your website users options about how they wish to engage with you. This can help build confidence between you and your customer.

That data may take many forms but some example would be:

  • collected (a user fills in a form, buys something using a loyalty card or account)
  • observed (on-site behaviour tracked by a cookie, geo location tracking)
  • recorded (and retaining calls made to a call centre)
  • derived (where multiple data sets are combined to help build a picture of your customer)

The code includes a privacy impact assessment to help you determine what the key action points for your organisation. 

It also includes a thorough checklist of what to include in your privacy notice. They also provide some examples of good and bad practice to help you assess your existing policies.

We're not going to replicate everything here - just recommend that you all read the update. Doing this all properly may take a significant amount of time but it's worth doing.

There is a legal requirement to comply with the Data Protection Act. The Information Commissioner can take action against any company found to be in breach of the DPA. The maximum financial fine for non-compliance is £500,000 or an enforcement notice ordering an organisation to improve its privacy notice or stop the processing.

Check out our latest news on Privacy.

Get in touch about your next project!