It can also be used for apps and offline.
As well as complying with data protection legislation, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), it will help reassure your customers and website visitors that you protect their personal data and take privacy seriously.
We provide this document for download and use completely free of charge.
- Solicitor approved
- Plain English makes editing easy
- Guidance notes included
- Money back guarantee
This template provides you with the wording you need to create a policy for your website or app.
Most modern websites collect data about the people who visit them. Often it might be clear to visitors when this happens, for example, when they buy from you or sign up for your services, but sometimes it might be less obvious, such as when you track their browsing behaviour.
This document has been written to be suitable for use on any website.
If you work in one of the following specific professional service providers, you'll be able to download a version specifically for your business:
Free to download and use
We don't ask you to acknowledge our copyright in it, mention us in any way or link to our site in return for using it.
Features and contents
The template is written in plain language that is visitor friendly and is structured so that it is both easy to read and easy to edit.
The first part of the notice explains the legal bases you have chosen for processing different types of information and how these types are used.
The second part deals with specific uses – less designed to comply with the GDPR and more for the purposes of reassuring customers and protecting you under different laws (for example, regarding copyright).
The third part sets out requirements under the GDPR and DPA once again: whether data is shared with other organisations; how it can be reviewed; and other miscellaneous matters.
In places, we have provided a number of options, where you choose the most appropriate and delete the others. In other places, we have provided ideas and the most common scenarios. The notice may need a little customisation to reflect fully your policy, but because it is written in plain English, editing it is easy.
This notice can be used by a wide range of types of business. Examples of those currently using it include:
- solicitors, accountants and other business consultants
- e-commerce sites
- service providers such as career development coaches and fitness trainers
- blogs and information sites
- web hosting providers
- community projects
- not for profit organisations and charities
The contents of the document cover:
- Categories of information collected and used, organised by the legal basis for use
- Visitor contributed content
- Payment information, whether debit and credit card information or other financial information
- Other personal identifiers from browsing activity
- Advertising, including use of remarketing
- Data transfers and processing outside the EU
- Access to personal information
- Removal of personal information
- Data retention
If you collect, use or store personal data for non-personal use then UK and EU law requires that you tell that person what data you 'process' and how.
Personal data is any data that identifies an individual. It commonly includes first and last names, contact information such as an email address or delivery address and payment information such as credit card information. It may also include data that you may not have considered such as an IP address logged by your web server or video footage taken by a security camera on your premises.
Other third party businesses whose services you use may require you to as part of your contract with them. For example, if you use Google AdSense or Google Analytics, Google requires you to tell your website visitors.
If you don't have a website
However, the law requires you to disclose how you collect,use and store personal data even if you don't have a website or if you process information by other means.
Your privacy statement should reflect the way your organisation collects and uses personal data. This will change between organisations enough to make each notice unique, but there are common elements that can be covered with standardised statements.
Your obligation under UK law is not just to publish a statement about personal information you collect, but also to put in place policies and procedures that your website visitors and users never see. While considering how data is collected, used, and managed, the task of editing should prompt you to think about your privacy practices overall and how other parts of your organisation might need to change.
For example, you might need to put in place more secure data transfer processes between two teams or you may be able to reduce the data you collect.
Additionally, a well-written privacy notice is likely to demonstrate your willingness to comply with the law, even if your organisation falls short in some areas.
One aspect of the GDPR that has caught the headlines is the ability of a supervisory body (the Information Commissioner’s Office or ICO in the UK) to hand out large fines for non-compliance.
Based on how the ICO has acted in the past, our opinion is that it is unlikely to use its full powers against SMEs from day one. More likely, it will issue a warning before a fine, especially if the business can show that it has attempted to comply with the law – unless, of course, a very serious data breach has occurred.
Your privacy statement is likely to be the first thing that the ICO will consider when judging whether you have made an attempt to comply with the GDPR and other regulations. A well-written notice is therefore likely to reduce the likelihood of immediate punitive action.
The steps you should follow
Read the guidance at the end of the document. You'll need to refer back to them as you edit, but having read them first, you'll have a better idea as to how to edit.
Make a list of the types of people who you collect personal information about: website visitors, users, customers, employees, contractors and suppliers, business partners, other third parties.
For each of the types of people, make a list of the personal information you collect, use or store. It may be information they provide to you themselves, or it may be information a third party provider (such as a credit reference agency) provides, or it may be data that you collect from your interaction with them.
Be aware that some user data needs to be treated more carefully than other information. 'Special Category Data' is defined by the law as information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions and trade union membership. It also includes health, genetic and biometric data. If you do process Special Category Data, you need to make sure that you disclose that you do.
Decide on the granularity of your disclosure. It may seem right to disclose every item of data. But that may give users more information than perhaps is useful to them. We suggest you group information into types, such as 'contact information' and 'payment information' and give examples of the types of data in each group. For example, "'Contact Information' is information that we use for the purposes of communicating with you and may include your postal address, your telephone numbers and your email address."
Decide on the basis or bases on which you process personal information. As described further down this page, there are six bases and you are required by law to tell users which ones you use. Most organisations will use at least three of the six ('Consent', 'Legitimate Interests' and 'Legal Obligation'), and possibly four or five. Again, you can give detailed information about which basis is used for each item of data, but it may be more practical to give examples of which groups are processed under each basis.
The bases for processing data covered in this template
Some data could be processed under one basis, and other data under another. Additionally, a basis might change over time.
For marketing purposes, Consent is likely to be the basis used.
For example, a website visitor could enter his or her email address on your website in order to receive monthly newsletters, or a member of a club could tick a box on a paper membership form. If Consent is the basis you use, then you should provide some means, clearly displayed, for the subject to withdraw it, such as an unsubscribe link in the newsletter.
The advantage of Consent is that you can clearly demonstrate in any disagreement that consent has been given – it requires the data subject to take specific action to allow you to use data you collect about him or her.
Contract as a basis can be used where processing the data is necessary to carry out a contract that the data subject has requested, or where a subject has asked you to do something before entering into a contract (for example, providing a quote) that requires you to process data. A contract has the same definition as under contract law.
Importantly, the processing must be a reasonable way to deliver your side of the agreement and the basis no longer can apply once the contract is complete. That means, for example, that marketing messages to previous customers cannot be sent under this basis.
Legal Obligation can be used as a basis where there is statutory law that requires you to store or use data. For example, HMRC requires all businesses to store records of transactions. Whether other obligations for you to process data exist largely depend on the industry in which you operate or the type of organisation.
Legitimate Interests is the most flexible basis, in that it is most subjective. However, it is not always most appropriate.
For it to be used there needs to be a good reason to process the data (beneficial to either the organisation or the individual or both) where processing under this basis is necessary to achieve it. The rights of the data subject not to have the data processed must also have been considered. If the individual might not expect the processing to take place, or if processing might cause harm to an interest, then Legitimate Interests cannot be used as a basis.
Examples of where Legitimate Interests might be used include:
to obtain insurance for the business to protect against a fraudulent claim
to notify members of an organisation of a change of which if they were not aware, might cause harm
Cookies are often used to provide website functionality across multiple pages. A cookie is a file that is placed on the user's device that records information collected or generated from a previous page.
In addition, cookies may contain personal data, and even if they don't, their purpose may be linked to processing personal data.
You may wish to read more about disclosure requirements for cookies before deciding how much information about them to disclose.
To summarise that article:
Do I need to comply with privacy laws outside the UK?
Other legal jurisdictions have similar privacy laws to the Data Protection Act.
You may have been told that you need to comply with the Privacy Act; the Personal Information Protection and Electronic Documents Act (PIPEDA) or the California Online Privacy Protection Act (CalOPPA).
While every enforcement authority would like the reach of their legislation to be global, enforcing privacy laws outside their jurisdiction is very difficult unless your business or organisation has some assets in that jurisdiction.
In any case, because the DPA sets such a high standard for disclosure, if you comply with UK law, particularly in respect of 'openness', you're likely to meet most of the requirements of other countries around the world by default.
However, you do need to make sure that users have an opportunity to read it. So it is a good idea to follow common practice and link to it from an expected location such as your website's footer.
You can also provide links to it whenever a user gives personal data. This should remind the user that you take data privacy seriously and that he or she can trust you. As examples, you might do so on email newsletter sign-up forms, 'contact us' forms, account creation forms and e-commerce checkout pages.
Do I also need a data protection statement, GDPR policy or data processing agreement?
Privacy policies are also known as privacy statements or privacy notices. The statement discloses the policy of the organisation in so far as it is a 'controller' of personal information.
You may also hear about 'data protection statements' or 'GDPR policies'. These are usually documents with a different purpose and audience - to tell employees or third party contractors of the internal business processes that protect the customer's privacy and rights. They are usually appended as a schedule to a contract for services or form part of the staff handbook.
In addition, your business may use a 'data processing agreement' to make sure that if a third party processes personal information, it complies with the law. Doing so is a requirement of the GDPR. Certain clauses are mandatory, others expand on them for specific data or circumstances.
This document was written by a solicitor for Net Lawman. It complies with current English law.
"I was really pleased with my recent experience of using Net Lawman. I was able to obtain important legal documents, needed to support my small business. Net Lawman understood my needs and provided fast and efficient service without incurring the significant costs of a traditional law firm. I would both recommend and use Net lawman again"Shireen Arthur
"Quoted £1000 by my companies law firm - paid £10 with Net Lawman."Spicer and Moore Ltd.
"Makes me wonder why I have spent so much for so long with lawyers who charge £200+ per hour and take ages to make something complex!"Kevin Jones