data-protection-privacy /  
Why do you need a privacy policy?
3rd Sep 2020
Why do you need a privacy policy? - Linkilaw Solicitors
Linkilaw Solicitors
Book a call
One of our dedicated team will be happy to discuss your needs.

It is likely you will have heard of GDPR, the General Data Protection Regulations that came into force in the European Member States in 2018 and was implemented into UK law by the Data Protection Act 2018. This law puts the onus on companies of all sizes to examine the collection, use, storage and security of personal data within their business. However, you may not be aware that one of the focuses of this legislation is transparency, so that those you collect data from (data subjects) know how their data is being handled by your business, acting as the data controller.

A Privacy Policy is a legal document that complies with this transparency obligation as it tells customers how their personal data is handled. In this article, we’ll discuss why you need a Privacy Policy, what it should include and what happens if you don’t have one.

What is personal data?

“Personal data” is a term defined in the GDPR. Broadly speaking, “personal data” means information that can identify an individual person. This includes information that identifies someone directly or indirectly when combined with other data. Contact information, like your name or email address, is a common example of personal data. But, personal data can also include technical information, like account information and IP addresses. You may collect this in a variety of ways: through your website, via email, through contact forms etc.

What is a Privacy Policy?

A Privacy Policy is a legal document that explains how a company uses, stores, shares and secures customer or user personal data. If you provide your personal data to a business, the privacy policy will specify the legal basis on which the company is allowed to handle your data, as well as what your rights are as a user of the service. (Note that a Privacy Policy is sometimes referred to as a “Privacy Notice” or a “Fair Processing Notice”).

Do I need a Privacy Policy?

In short – yes. If EU citizens use your website, then you’re legally required to have a Privacy Policy. This rule is set out in both the GDPR and the UK Data Protection Act 2018. At the point you are collecting data directly from users, it’s time to ensure you have a Privacy Policy. (It doesn’t necessarily matter where you display your Privacy Policy, as long as it’s accessible and easy to find).

Not only is a Privacy Policy legally necessary, but many third-party services also require it. For example, Apple’s terms require a Privacy Policy to put an app on the App Store, and Google’s terms require a Privacy Policy to use Google Analytics.


What should a Privacy Policy include?

It’s not enough to put up a generic Privacy Policy. All businesses are expected to be able to provide evidence of compliance with the data protection principles contained within the GDPR and a Privacy Policy forms part of this compliance exercise, as it examines and displays data usage within a business.

Some of the key information you have to put in a Privacy Policy includes:

  • Details about the company
  • What kinds of personal data do you collect
  • Why do you collect personal data
  • Which third parties do you receive data from and send data to
  • Where you keep personal data and how you keep it secure
  • How long do you keep personal data
  • Details about automated decision-making and profiling
  • What rights do individuals have under data protection laws
  • How to contact you

(Keep in mind this is not a full list of requirements, just some of the most important ones.)

In addition to making sure you cover all the required topics, it’s also important to ensure your privacy policy is concise, transparent, understandable and accessible.

Consequences of non-compliance

Choosing not to put up a Privacy Policy is not a low-risk decision. If you don’t comply with the UK Data Protection Act or the GDPR, you could be exposing your company to a hefty fine. The fines for violating people’s privacy rights can be up to 4% of your global revenue or up to €20 million.

Bottom Line

Even though most people won’t read your Privacy Policy (other than lawyers), it’s still crucial to have one. Whether your company is located in the EU or not, there’s a chance you might collect personal data from an EU citizen—which means you need a Privacy Policy. Keeping your company compliant with data protection laws will save you time and money, and increase your customers’ trust in you.

For help writing a legally-compliant Privacy Policy, book a free call with our legal team.

Our legal commentary is not intended to be a comprehensive review of all developments in the law and practice. Please seek legal advice before applying it to specific issues or transactions.

Linkilaw Solicitors
Book a call
One of our dedicated team will be happy to discuss your needs.

Get in touch

Book a call
One of our dedicated team members will be happy to discuss your needs.
Send us a message
We will review your enquiry and get back to you as soon as possible.