Getting a privacy policy for your website

Internet users are constantly required to trust websites with sensitive, personal information. The more the user is required to reveal, the more important it is for the website to provide full data protection. Building a foundation of trust is therefore advisable, and website owners can achieve this by publishing a privacy policy, explaining what kind of user data is collected and in what way the collected data is used. It should also contain information about which methods are used to extract data.

Privacy Policy for websites and the GDPR

Definition

A privacy policy is a document that explains how a company or organisation handles any information it gathers. It should reveal the information it plans to collect such as name, address, credit card number, etc. If data is to be left on a user’s computer (such as cookies), this should be specified and also whether the customer’s data will be shared or sold to third parties.

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy, which affects those within the European Union (EU) and the European Economic Area (EEA). The main goal of this regulation is to give citizens and residents more control over their data and what happens to it. With all EU countries adhering to the same regulations, it makes business between countries a lot easier. All companies doing business in the EU or EEA must store personal data using pseudonymisation or full anonymisation, as well as the highest privacy settings possible. The data cannot be made publicly available without the customer giving prior consent. If a data breach occurs, businesses must report it within 72 hours of it happening in case customer data is at risk.

Although the GDPR was adopted on 14th April 2016, it wasn’t enforced until 25th May 2018. Since it is a regulation, it doesn’t require a national government to decide on any legislation. In the UK, the Data Protection Act 2018 was granted royal assent on 23rd May 2018, which ensures alignment with the EU on data protection after Brexit.

What is the Data Protection Act 2018?

The act is essentially the UK’s implementation of the GDPR. Its aim is to modernise data protection laws to make sure they are effective in upcoming years. The GDPR is quite restrictive on member states, whereas the DPA 2018 covers more in addition to applying GDPR standards:

  • It contains a part on processing that doesn’t fall within EU law, e.g. relating to immigration. The GDPR standards still apply, but those that are unsuitable for the UK have been amended.
     
  • One part transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. It lists the requirements for processing personal data for criminal law enforcement purposes.
     
  • Intelligence services must comply with internationally recognised data protection standards. Therefore, provisions based on Council of Europe Data Protection Convention 108 apply to them.
     
  • There are parts covering the ICO, duties, functions, and powers plus the enforcement provisions. The Data Protection Act 1998 is being repealed therefore these changes are necessary for dealing with the interaction between FOIA/EIR and the DPA.

When are privacy policies mandatory in the UK?

Firstly, all UK-based online companies are required to be open with any users about how their personal data will be used. ‘Personal data’ is here defined as any data that ‘relates to a living individual who can be identified from that data’. This extends to any data relating to a person in a private or professional capacity. Meanwhile, there is a separate definition for ‘sensitive personal data’, which includes information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, and information about any crimes committed. If any personal or sensitive personal data is to be processed, it is mandatory for the website owner to display a privacy policy. This must explain what cookies will be used and for what purpose. A recent change in legislation has also meant that websites now cannot use cookies on a user’s computer without first asking for that user’s consent.

The issues surrounding data collection are certainly controversial. A great deal of data is saved automatically, often without the user’s knowledge. For example, web servers record IP addresses in log files, integrated social media icons pass on personal details relating to social network profiles, and cookies save information about users and their online behaviour. The data security issues surrounding website analytics tools, such as Google Analytics, are also controversial, as the tool records data like IP addresses. Website operators are able to circumvent users’ consent for gathering data by abbreviating the IP address down to the last set of digits, which thereby anonymises data.

What are the sanctions for non-compliance with privacy policy laws?

The Information Commissioner’s Office (ICO) also has the power to impose fines or bring about criminal proceedings if any misleading practices are detected. The most common offences involve gathering, disclosing, or procuring disclosure of personal data without users’ consent, causing significant damage or distress to the user. Further punishable offences include selling personal data that has been obtained illegally, processing data secretly, failing to comply with an enforcement notice, or authorising any of these activities in a managerial position. Website owners can also be punished for failing to take steps to prevent breaching the DPA.

If the Information Commissioner brings an offence to the magistrates’ court, it’s possible for website owners to incur a fine of up to £5,000, which can rise to an unlimited amount if the case is tried on indictment and heard by the Crown Court.

If any part of the GDPR is breached, the company can be fined up to 4% of their global turnover or €20 million (£17.7 million), whichever is greater. This is the most a company can possibly be fined; there are also smaller fines which are given if the company doesn’t have their records organised properly or they don’t report a data breach.

Incorporating a privacy policy into your website

You should ensure your privacy policy is as accessible as possible. Design it like the rest of your site with a clearly marked link on the main menu. According to GDPR, it is also essential that the privacy policy is easy to understand, so it is advisable to use simple language and avoid complex legal or technical terms. It’s not enough to just include a link to an excessively long privacy policy when people register on your site. In terms of content, it is vital that the information is accurate and unambiguous.

You can’t expect your customers to trust you if you aren’t being honest with them when it comes to what data is being collected and the reasons for it. Make sure you answer these points when compiling a privacy notice:

  • What information is being collected?
  • Who is collecting it?
  • How is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • How will this affect the individuals concerned?
  • Is there a chance the intended use will cause individuals to complain?

The ICO’s website has even more detailed information on the privacy information you need to provide.

These points are also important to include in your privacy policy:

  • A summary of the technical data collected and/or passed on (i.e. IP addresses, email addresses, etc.)
  • A summary of the personal data collected and/or passed on (i.e. name, address, etc.)
  • Data transferred from browsers (e.g. browser history)
  • Information about special features, like competitions, online advertising, etc.
  • If required, information on the use of web analytics tools such as Google Analytics
  • Actions taken to ensure the security of data
  • Information about the user’s right of objection, i.e. information about how to block cookies

Just because the Data Protection Act 1998 has now been updated to the Data Protect Act 2018 and GDPR law, it doesn’t mean you have to re-write your website’s privacy policy. There are six legal grounds to rely on for processing personal data: content, contract, legal obligation, vital interests, public interest, and legitimate interests. If you asked users for consent before the new laws came into place, it doesn’t necessarily mean you have to ask for it again. Any existing consent that is still in line with the GDPR requirements doesn’t need to be renewed. Sending customers e-mails asking if they still want to hear from you could actually have a detrimental effect since it fills their inboxes with spam and could mean they build up a negative attitude towards your company.

Support with privacy policies: templates and generators

Legal foundations for data processing

It is your duty to inform users of the legal basis for collecting and processing personal data. To do this, at least one of the following conditions must be fulfilled in accordance with Article 6 of the GDPR:

  • The subject has given their consent
  • Processing data is necessary to fulfil a contract with the subject or for carrying out pre-contractual operations
  • The controller fulfils a legal obligation to which they are subject
  • The purpose of processing is to protect the vital interests of the data subject or another person
  • The data processing is in the public interest
  • It is necessary to safeguard to legitimate interests of the controller or of a third party (provided that the fundamental rights and freedoms of the subject are not infringed).

Sample of providing a legal basis

Insofar as we have obtained the consent of the subject for the processing of personal data, Article 6(1)(1a) of the GDPR applies as the legal basis.

Where the processing of personal data is necessary to fulfil a contract with the subject or for pre-contractual measures initiated by the data subject, Article 6(1)(1b) of the GDPR provides the legal basis.

If the data processing is the result of a legal obligation to which we are subject, we refer to Article 6(1)(1c) of the GDPR as the legal basis.

Where personal data is processed in order to protect the vital interests of the subject or another natural person, Article (6)(1)(1d) of the GDPR  serves as the legal basis.

If the data processing as a task serves the public interest or takes place in exercise of official authority, we refer to Article 6(1)(1e) of the GDPR as the legal basis.

Insofar as the processing of personal data is necessary in order to safeguard the legitimate interests of the controller or a third party without jeopardizing these interests, fundamental rights or fundamental freedoms of the subject, Article 6 (1)(1f) shall apply as the legal basis.

Purposes of data processing

In addition to the legal basis, you must list the purposes for processing the relevant data-related information in your privacy statement. In order to achieve transparency, we recommend that you disclose any components of your website that collect this data, like so:

  • Contact forms
  • Newsletter subscription
  • Input fields (e.g. for entering bank details in a shopping cart)
  • Tracking codes
  • Third party plugins (e.g. social buttons)
  • Third party content (e.g. YouTube videos)
  • Competitions
  • Cookies
Note

When it comes to embedding external content, you will need to exercise even more caution in the future, since the GDPR increases the need to inform the user before data processing. However, many third-party content like YouTube videos transmit data by default when the website is accessed. Google has already reacted to this and implemented an “extended data protection mode” in YouTube’s embedding options. If you enable this, you will generate an embed code that will not transmit data until the video is viewed.

If the previously mentioned Article 6(1)(1f) of the GDPR is relevant to your website, you should also reveal your legitimate interests in your privacy policy. When doing this you should check whether you are protecting the interests and rights of your website’s users in the best possible way. Typical purposes are, for example, analysing visitor behaviour to optimise the website, to deliver personalised content for marketing purposes.

Template for indicating the purposes of data processing

In order to make your visit to our website as user friendly as possible, and to provide you will all the available features, we collect specific data from the device you used to access our website. This data includes your:

  • IP address
  • Operating system
  • Browser type and version
  • Date and time of access

An evaluation of this data for marketing purposes will not take place.

Recipients of personal data

If you pass personal data along to third parties, you must also inform your users of this as part of the data protection declaration. For example, if you run an online shop, you are very likely to include other service providers such as suppliers or payment services in your business process.

This segment also includes implementations of third-party cookies and extensions, the use of which has always been linked to the disclosure of personal information. These include tracking codes and social media buttons. In both cases, you can indicate a legitimate interest to justify the use – however, it is advisable to also obtain the visitors’ consent (in the case of social media buttons, the use of a data protection compliant procedure like the two-click solution.

You should also include ad services like Google AdSense or AdWords as recipients if you use them to find your website.

Sample of specifying embedded third-party vendors (example: “Facebook Plugin”)

This website uses a Facebook social plug-in developer by Facebook Inc. (1 Hacker Way, Menlo Park, California 94025 USA) and is recognisable by the Facebook logo. The plugin establishes a direct connection between your browser and the Facebook servers once it has been activated. This requires a click on the appropriate button. We have no influence whatsoever on the what kind and to what extent your data is transmitted to Facebook Inc. A statement by the social media company on this topic can be found at the following link: www.facebook.com/help/186325668085084.

Note

If you intend to disclose personal information to a recipient in a third country or to an organisation that operates internationally, you should also disclose that intention here in your privacy policy.

Duration of data storage

In order to make data processing as fair and transparent as possible, you should also disclose how long personal data will be stored for. If no clear value can be formulated for this, you can instead present the criteria that influence the period of data storage. As a rule, for example, you can provide concrete information for the storage of anonymised IP addresses in the log-files if you have configured automatic deleting after a certain period of time. If, on the other hand, you work with cookies that make the visitor identifiable for the duration of the session, the length of that data storage is linked to each individual session duration.

Sample of a data storage duration specification

All personal data that we have collected during your visit through the use of session cookies is automatically deleted as soon as the purpose for its collection has been fulfilled. The session data is therefore stored until you end your session (by leaving or closing the website)

Note

If you store the personal data on servers outside the UK, this must be stated in the data protection declaration of your website – including reference to possible different data protection regulations (in particular for countries outside the EU).

Reference to the data subject’s rights

All users from whom you collect personal information have a number of rights, also known as “data subject’s rights”. For example, the right of access Article 15 GDPR grants detailed information on processing purposes, possible recipients, storage period and origin. In addition, users have the right to rectify personal data under Article 16 GDPR and – under certain conditions – the right to delete personal data under Article 17 GDPR.

Sample of reference to data subject’s rights

According to the GDPR, you are considered a data subject if personal data concerning you is processed by us. For this reason, you can make use of various data subject rights which are laid out in the General Data Protection Regulation. These are the right to access information (Article 15 GDPR), the right to erasure (Article 18 GDPR), the right to object (Article 21 GDPR), the right to lodge a complaint with a supervisory authority (Article 77 GDPR) and the right to data portability (Article 20 GDPR). 

Clarification of legal or contractual obligations to collect data

To the extent that the provision of personal data is required by law or contract or is indispensable to completing a contract, you must inform your users accordingly. It is also necessary for you to provide information about the consequences of not providing such information.

Sample of clarifying data collection obligations

The collection of your personal data is indispensable for completing a contract, as well as fulfilling contractual obligations and services. If you do not provide us with the requested information, neither a successful conclusion of a contract, nor are further contractual services possible.

Information on the use of automated decision making (including profiling)

If you use automated decision making, including profiling, you are required to provide meaningful information about the underlying logic. It is essential that you identify the desired impact and scope of this kind of data processing on the data subject. The background is that in principle, your users have the right “not to be subjected to a decision based exclusively on automated processing – including profiling” (Article 22 GDPR). However, this right does not apply if the respective automated procedure is necessary to conclude or carry out the contract, is permitted by EU and member state legislation or is carried out with the express consent of the person concerned.

Sample reference to automated decision making or profiling on your website

Before concluding your contract, we will carry out a fully automated credit assessment to determine your creditworthiness…

Representative Contact Details

Best practice requires your privacy policy to have contact information available should a customer have a query regarding the policy or their data. Privacy policies may include the name, postal address, email address or telephone number of the privacy policy representative. Here is a sample of what the relevant paragraph in your privacy declaration may look like this:

Sample contact details:

Name of the individual(s) responsible

1562 Main St

London

SW1A 2AA

Tel: (telephone number)

Email: sample@email.com

Does my company need a Data Protection Officer?

The GDPR stipulates that if your business deals with customers in the EU, whether it is business transactions or data processing, you will need to comply with their Data Protection Officer (DPO) requirements. The job of the Data Protection Officer is to safeguard personal information gathered through transactions with EU customers – this includes any sensitive information that could range from credit card information to something that can help you identify a person’s ethnicity, location, religion, sexual orientation, etc.

The GDPR stipulates that all public authorities and private companies that are involved in large-scale, regular data processing comply with these regulations. If you are unsure whether your company fits this description, the best course of action is to seek legal counsel as the repercussions for failing to adhere could be severe. More information about data processing officers can be found here.

If you need to hire a DPO, you must include their contact information in your website’s privacy policy. Here is a sample of what their contact information could look like in your privacy policy:

The data protection officer of this company is:

Name of the individual(s) responsible

1562 Main St

London

SW1A 2AA

Tel: (telephone number)

Email: sample@email.com

Many free online solutions provide assistance for generating privacy policies for websites such as the solution from Rocket Lawyer. Existing templates are available, and it is easy to find one that is suitable for your needs with a simple Google search. Prewritten samples are a further option. These include valuable information on the protection of user data, and can be applied to social networks, cookies, or newsletters. This gives users the added advantage of receiving data protection statements from Google Analytics or other analysis tools. These are delivered in filled out forms and include links for users who object to their data being delivered to third parties.

In addition to the many templates that are available, some websites also offer free privacy policy generators, which assemble sample texts to produce a final statement. The result is usually given as an HTML code.

Templates and generators make it easy to draft a sufficient privacy policy for your website. However, it is important to take care and ensure that the results are relevant. Samples can provide a great basis for your statement, although there are often details that need changing or elaborating on. If you are unsure whether your privacy policy is correct, it is advisable to seek advice from a legal expert.

GDPR: A summary of the most important points

The new General Data Protection Regulation makes data protection in EU countries more transparent, understandable and secure. The need for a complete, comprehensive privacy statement is at the heart of this – especially for website operators who have to deal with vast amounts of personal data. If you have already drafted a privacy statement in the past, you will have noticed the disclosure of legal bases and the reference to users rights as major innovations in the above points.

Of course, these two aspects are by no means the only things distinguishing the revised or newly created data protection statements following the GDPR standard from older versions: Now more than ever, you have the responsibility of explaining the purpose of data processing in a detailed, comprehensive way that leaves no open questions for your users. In the event that your users do have questions however, you or your DPO must be available to answer any. The GDPR emphasizes heavily that users must be informed as early as possible – always before the data is collected.

Tip

You are welcome to use our new GDPR-compliant privacy policy as a source of inspiration for your own privacy policy.

Please note the legal disclaimer relating to this article.


Wait! We’ve got something for you!
Get your .co.uk domain now, the first year is free.

Enter the web address of your choice in the search bar to check its availability.
12 month for £0/year
then £10/year