Privacy Policy vs Privacy Notice
In data protection programs, the terms privacy policy and privacy notice can often be used interchangeably. In most cases, they refer to the same document, the content of which aims to provide the reader with information about the how, why and what of processing personal data.
There are some suggestions that a Privacy Notice is a direct reference to the information presented at the time personal data is obtained. For example, a screen pop-up or link on a website when a form is being completed. Whereas a Privacy Policy refers to an internal policy used to provide guidance and disseminate company policy to employees. The majority of UK firms tend to use the term Privacy Notice which should contain all information set out in the ‘Right to be Informed’. The Information Commissoners Office (ICO) refer to this information as ‘privacy information‘.
The Right to be Informed
Whilst the content in a Privacy Policy Template can vary from firm to firm, the general sections and layouts should be similar as they need to follow the UK GDPR requirements on what information is provided to an individual whose personal data is being processed.
Article 12 of the UK GDPR states that the privacy information laid out in Articles 13 and 14 must be communicated to the data subject in a concise, transparent, intelligible and easily accessible form. Plain and clear language must be used that is subject relevant and jargon free.
- Controllers identity and contact details (including any representative)
- Data protection officer contact details (where applicable)
- Purpose of the processing
- Legal basis of the processing
- Legitimate interests for the processing (where applicable)
- Recipients or categories of recipients of the personal data
- Details of transfers outside the UK and any adequacy regulation or safeguards in place
- Period for which the personal data will be stored
- Data subjects rights relevant to the processing (as per Articles 15-22)
- Right to withdraw consent (where applicable)
- Right to lodge a complaint with the Commissioner
- Whether providing personal data is a statutory or contractual requirement
- Consequences of failure to provide personal data (where applicable)
- The existence of automated decision-making (including profiling)
Example Privacy Notice Sections
Based on the above requirements that must be included in a privacy notice, the below headings can be used in a privacy notice to relay the legal privacy information required under the UK GDPR. This list is not mandatory, but does follow the generic format used by most businesses when providing a privacy notice.
Who We Are – insert details about the company along with a general statement about processing personal data. You should include the company name, address (trading and registered) and any relevant company or registration numbers. You can also include details of the DPO or main point of contact.
Information That We Collect – state why you collect personal data and what type of data you collect. You may need different privacy notices for different processing activites to ensure that they are appropriate and relevant. You can also note how personal information is collected (i.e. website forms, CCTV, CV’s etc).
Legal Basis for Processing – this explains to the data subject how you use their personal data and on which UK GDPR legal basis you rely. It is helpful to provide bullet points on the types of data collected and which basis you rely on to do this so that the privacy information is clear and concise.
Your Rights – ensure that all individuals understand their rights under the UK GDPR and explain how to exercise those rights. Also include any information on the use of automated decision making and/or the use of CCTV if applicable.
Sharing and Disclosing Personal Information – you should document how and why you share any personal data with third parties and provide details of the third party name and contact details. It is also good practice to provide a link to the third parties privacy policy.
Safeguarding Measures – what measures do you have in place for protecting and securing the personal data that you process? You obviously don’t need to list all of your information security measures, but instead provide a brief summary of measures such as SSL, TLS, encryptions, pseudonymisation, restricted access, IT authentication, firewalls, anti-virus/malware etc.
Processing and Transfers Outside the UK – if applicable you should document what and why you transfer personal data outside the UK and also provide any reasons for doing this. If offering services/products to individuals in the EU, you will need to comply with GDPR Article 27. This means appointing a representative who is established in the relevant member state and providing their details in the privacy notice.
Consequences of Not Providing Personal Data (if relying on statutory/contractual requirement basis) – you should explain what may happen if personal data is not provided when it is a statutory/contractual requirement (i.e. you may not be able to offer some/all of your products to the individual.)
Legitimate Interests (if applicable) – if you have completed a legitimate interests assessment and are relying on this legal basis for processing, you will need to note what data is processed under the legitimate interests basis and why you are relying on this.
Retention Periods – explain to data subjects that you only ever retain personal information for as long as is necessary. You should provide any retention periods specific to the personal data being collected and/or any criteria used to determine the retention period.
Special Categories Data – if you process special categories of personal data you will need to document in your privacy notice the reasons that this is required and what legal basis you are relying on for the processing.
Consent – if you are using consent as your lawful basis for processing, you must evidence that consent has been obtained via an affirmative action (i.e. signature, non-ticked box). This must be collected and recorded for each processing activity.
Marketing – for firms that send marketing materials, you have the option of using either consent or legitimate interests. You will need to assess which is the most appropriate legal basis and demonstrate that you have weighed the data subjects interests against your own.
Lodging A Complaint – you are required to provide details of the supervisory authority, which for the UK is the Information Commissioner’s Office. Note their name, address and contact details.
Privacy Policy Template and GDPR Template Toolkits
With thousands of organisations already using our GDPR policy templates and toolkits, why not purchase one of our market leading GDPR Policy Template packs. We have written professional, ready to use content that is also fully customisable and offers a vast range of data protection policy templates and GDPR checklists.