In summary, a privacy policy sets out who you are, how you will collect, use and store personal data and how a customer/contact can control that use of their personal data.
The law requires that you display a clear link to your privacy policy on your website, at all points of online data collection, including email marketing. Your privacy policy is your opportunity to build customer confidence and trust and make them feel good about doing business online with you.
A good privacy policy is easy to find, easy to read and explains all the web visitor needs to know about your approach to handling the personal data they supply you. It also serves as a promise to your visitors and customers that you will act according to the statements laid out in the policy. So be sure not to promise what you can’t (or won't) deliver!
Below is an outline of the content you should include in your privacy policy to ensure it is user-friendly and regulation compliant:
State what data you collect, e.g.
Name and job title
Contact information including email address
Demographic information such as postcode, preferences and interests, transactional data
Explain what you do with personal data – and what you do NOT do.
State the physical address of the Data Controller.
List out your group companies, where applicable.
Explain how the personal data you hold is handled and processed.
State your policy on the use of cookies, ie how you use them and why.
Your policy on transfer of data overseas (i.e if you don’t do it, then state this).
Subject access arrangements – how can a customer/contact gain access to the personal data you hold on them.
Data security guarantees – ie the physical, electronic and business procedures in place to safeguard and secure the information you collect.
Links to other sites – ie where your privacy policy ends, e.g. "such sites are not governed by this privacy statement".
Definitions
Personal data
Personal data is defined as information about a living, identifiable individual – identifiable either from that data, or from other information which is likely to come into the possession of the Data Controller. It includes an expression of opinion about the individual and any indication of intention in respect of the individual.
Data Controller
The Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Personal data classified under the Act as 'sensitive personal data'
• Racial or ethnic origin
• Religious or other beliefs of a similar nature
• Physical or mental health or condition
• Sexual life
• Offences ( including alleged offences)