Go to page content

How to write a great privacy policy

PRIVACYNOTICE (1) (1).jpg

When you’re collecting, storing or using personal data, it’s essential that you tell individuals exactly how you’re doing this and what it means for them.

The best way to do this is in a clear and plainly written privacy policy. Unfortunately, many companies still have lengthy and opaque policies that don't earn consumer trust.

We've put together the below to help you write a stellar privacy notice, suitable for all organisations.

Remember: you have to comply with both GDPR & the ePrivacy directive

This is because when a data privacy issue is raised, especially if it’s related to communications, regulators will go straight to the ePrivacy directive.

The ePrivacy directive has been in effect since 2002 and was updated in 2009, and it’s rules supplement GDPR - the two go hand in hand.

The ePrivacy directive requires ‘transparency’ and ‘affirmative consent’ to tackle problems like spam, excessive profiling and behavioural advertising. It also addresses the confidentiality of e-communications in more detail. For example, Facebook messenger or Whatsapp. It also addresses the monitoring of internet users using tracking technologies like cookies.

Your privacy policy template ⚖️

Below is the structure of a great privacy policy, and we’ve made sure to add what you need to do to comply with the ePrivacy directive as well.

Remember, you need to notify the data subject of your privacy policy as soon as data is being collected.

  1. Our contact details: e.g. your business’ postal address, phone number, and email address
  2. What type of information we have: e.g. name, location, search history…
  3. How we get the information and what we do with it: e.g. you provide us with most of the information we process because we need it to do X. We also gather information from third-party Y to do Z. The best thing to do is combine 3 & 4 e.g. in a table include how you get data like their name and address, what you do with this data, and the legal basis you rely on to process it.
  4. The legal bases we rely on: You need at least one legal basis for why you’re processing personal data. For example consent, contractual obligation, legal obligation, vital interest, public task, legitimate interests. If you rely on ‘consent’ you need to display it clearly and prominently and include a separate unticked opt-in box for direct marketing. If the legal basis is ‘legitimate interests’ you need to provide details of this e.g. we advertise XYZ’s products to you based on your order history on our site.
  5. How we store your information: 🔒 e.g. your information is securely stored [location]. We keep [type of personal information] for [time period]. We will then dispose of your information by doing X.
  6. Your data protection rights: Remember the right to object should be presented in an isolated form not just hidden in the bulk of the text e.g. your rights are the right of access, rectification, erasure, restriction of processing, object to processing and data portability. Here’s how to object to processing…
  7. How to complain: 🗣 e.g. If you have any concerns about our use of your personal information, you can make a complaint to us at [contact details for data protection queries]. You can also complain to the ICO if you’re unhappy with how we have used your data. The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Our top tips 💡

These are the areas we see a lot of privacy policies fall short in, so make sure you do the following:

Be transparent and precise

For example, 'we will retain your browsing history for advertising purposes.' AVOID using the following phrases at all costs: ‘we may…’- either you do something or you don’t. ‘We keep your personal data as long as necessary’- your organisation needs a specific policy in place for data storage anyway so just share it. If you only do something in specific circumstances, be specific about what those circumstances are.

Consider a layered approach

Rather than just pages of information that most people just accept without reading, you can use pop up boxes on the website so that information is easier to follow, or use just-in-time notices, video, icons and symbols and privacy dashboards.

Write in a style your audience would understand

As an example of this, compare ASOS’s privacy policy to Microsoft's. The former is written in a much more casual but clear style.

You need to identify ideally by name, or category, any recipients of the personal data you’re collecting.

If you just say ‘we share your personal data with trusted third parties’ STOP. Please don’t do this, it’s classed as ambiguous language under GDPR.

Examples

For a general idea, this is what the ICO has on their website to demonstrate what a good and privacy policy look like side by side:

Screenshot 2020-09-22 at 13.39.54.png

Image credit: ICO

You can also see our privacy policy here for reference.

After roll out

Remember to keep your privacy policy under review; take into account any complaints and update it if there are any changes to the way you collect and use personal data.

Final thoughts 💭

Remember, although a privacy policy is a legally required document, it that should be accessible to non-legally trained people too. One option is to have a 'laymans terms' version at the start, supported by the legally complete version.

Unfortunately, many organisations don’t fully comply with both GDPR and the ePrivacy directive when writing their privacy policies and don’t implement tips like layering their privacy notice or writing their policy in a style tailored to their audience.

But, privacy policies are really important. Writing a good one can help you stay out of trouble if there’s ever a privacy complaint against your organisation, and it shows your customers that you rightly take the protection and security of their personal data seriously, increasing their trust in your organisation 🌟

If you have any further questions, let us know, our support team would be more than happy to help!