On the 25th May 2023 we marked (we like a celebration here at Rubber Duckiee) 5 years since the GDPR became law in the UK.
While some might resent it, many of us have come to accept the exchange that occurs online these days. The exchange whereby we, as consumers, hand over our data (probably not always appreciating quite how much) and in return get access to platforms promising to entertain, or perhaps make us fitter or more productive.
But, if you’re running one of these online businesses, or indeed any organisation, for profit or not, what do you need to know when it comes to your website and the collection of your people’s data?
What is a privacy policy?
Any organisation that collects data – in any way – must set out how and why it does this in a privacy notice / policy.
Privacy policies are essential these days and should set out how you collect, use, store and protect personal data.
The purpose is to inform those interacting with you about their privacy rights and how their information is handled by your organisation. Having a clear and comprehensive (this doesn’t mean it has to be complex though) privacy policy is crucial for establishing trust by demonstrating your commitment to data protection and meeting legal requirements.
Key elements of a privacy policy:
Privacy policies are legal documents so it’s generally worthwhile getting an expert to check it over (we can recommend you one), but you can also use the templates provided on the ICO’s website as a guide to where to start. In summary, this is what you need to cover:
a) Data Collection: Quite simply, what data are you collecting from people? Eg. names, addresses, emails, payment information.
b) Data Usage: This is where you need to be clear on why you’ve collected the data you have. Eg. to fulfill an online order, or to market your business, or to provide customer support services – whatever the reason you need to state it here. You should also set out whether the data you’re collecting and using will be shared with anyone eles and if so why and how.
c) Data Protection: This is the security focused section and where you need to let people know how you’re going to protect their data from misuse or loss.
d) Data Retention: It might be tempting to hold onto data for as long as you can (just in case, one day it might be handy….), but actually you should not be storing it for any longer than required in order to fulfill your obligations around why it was collected in the first place.
e) Rights of Individuals: Let people know about their rights, such as the right to access their data, correct inaccuracies, object to processing, and lodge complaints with the UK’s ICO.
f) Cookies and Tracking: If you use cookies or any other tracking technologies on your website then you need to say what that is and what they’re doing.
It may not be the most exciting thing in the world to come back to but do make sure to schedule in time to review your privacy policy on a regular basis to ensure it still reflects and covers your data collection.
Do you need a privacy policy for your website?
Yes, BUT it’s not just about your website and you do not need a separate privacy notice covering what information is collected by your site. Any business that collects or stores people’s personal data needs a privacy notice and it needs to be easily accessible. Having it on your website helps you to do that.
If your site does collect personal data, you need to remember to include this in your privacy notice and if the majority of your customers or clients find you through your website then they should easily find your privacy notice there too.
Your organisation’s privacy policy should cover every channel through which you collect data and set that out before making it available to people to read through online.
