Why Do I Need a Website Privacy Policy?

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA18), individuals have the right to be informed about how you obtain and use their personal data. Article 13 of the UK GDPR sets out the mandatory information that must be provided to an individual when their data is collected.

The provision of this information forms the basis of your privacy policy and it must be displayed on your website in an easy to access location. When you collect the personal data, such as in a contact form or during an online transaction, you should provide an link to the privacy policy at that time.

What Should Be in the Privacy Policy?

Where personal data is obtained directly from your website, you must provide the below information at a minimum. This should be in an easy to read and understand format.

• Your identity and contact details.
• The contact details of your data protection officer or appointed person.
• The purpose(s) of the processing for which the personal data is intended.
• The legal basis for the processing.
• Details of any legitimate interests if this legal basis is being relied on.
• The recipients or categories of recipients of the personal data.
• If applicable, details of any transfer of the personal data to a third country or international organisation.
• The period for which the personal data will be stored.
• The existence of the right to request access; rectification or erasure; restrict processing, object and data portability.
• The existence of any automated decision-making or profiling.