Think of your organisation’s privacy policies like a growing garden; living documents that need regular updates to stay well-kept. As regulations change and your data practices evolve, it’s crucial to refresh these policies to remain compliant, maintain transparency, and build trust. This guide covers practical best practices for updating your privacy policies, focusing on clarity, legal requirements, and good communication.

Why it’s essential to be updating your privacy policies regularly

Regular updates to privacy notices and policies are necessary for several reasons:

  • Legal compliance — Organisations must inform individuals about their data processing activities under relevant data protection laws, such as the GDPR in the EU, UK GDPR in the UK, and POPIA in South Africa. Regularly updating your privacy policies ensures compliance with the latest legal standards, helping you avoid fines and other legal issues. Supervisory authorities worldwide have penalised companies that failed to keep their privacy notices accurate, highlighting the importance of staying up to date.
  • Building trust — An accurate privacy notice shows that your organisation values transparency, which builds trust with customers, employees, and other stakeholders. By explaining clearly how you collect, use, and protect personal data, you demonstrate a solid commitment to privacy.
  • Reflecting changes in data practices — Your data processing activities may change as your organisation expands or introduces new technology. You might start collecting new types of data or enter new markets. Updating your privacy policies to reflect these changes is essential, ensuring ongoing compliance and transparency.

Critical elements of a comprehensive privacy notice

When updating privacy policies, you should make sure that it includes the following core elements:

  • Contact information — Provide your organisation’s name, address, and contact details. Include the contact information of your Data Protection or Information Officer (DPO or IO) or relevant privacy contact so individuals can easily reach out with questions or concerns.
  • Types of data collected — List the categories of personal data you collect. Be specific. This can include identifiers like names, contact details, financial information, or sensitive data such as health records.
  • Data sources — Explain where the data comes from, whether directly collected from individuals or obtained from third parties like service providers or publicly available databases.
  • Purpose of data processing — Clearly state why you collect the data and what you use it for. Examples include providing services, meeting legal requirements, marketing, or improving the user experience.
  • Legal basis for processing — Under relevant data protection laws, every data processing activity must have a legal basis, such as consent, fulfilling a contract, legal obligations, legitimate interests, or vital interests. Clearly state the legal basis for each processing activity.
  • Data sharing — Detailed details about who you share the data with, such as third-party processors, business partners, or regulatory authorities. Include information about any data protection measures in place.
  • Data retention periods — Specify how long you keep personal data. If you cannot provide a specific period, explain the criteria you use to determine retention times.
  • Individual rights — Inform individuals of their rights under relevant data protection laws, such as the right to access, correct, delete, or restrict their data. Provide clear guidance on how they can exercise these rights.
  • Security measures — Outline the steps your organisation takes to protect personal data. This might include encryption, access controls, or regular security reviews.
  • International data transfers — If you transfer personal data outside the country where you process it, describe the safeguards in place, such as standard contractual clauses or adequacy decisions.
  • Automated decision-making — If your organisation uses automated processes, including profiling, explain the logic behind these decisions and their potential effects on individuals.

Questions to ask when updating privacy policies

When reviewing your privacy policies, consider these key questions:

  • Have your data processing activities changed since the last update?
  • Are you collecting any new types of personal data?
  • What is the legal basis for each data processing activity?
  • Are your data retention periods still appropriate?
  • How do you manage and record consent?
  • Is the language in your notice clear and easy to understand?
  • Are individual rights clearly explained with simple instructions?
  • Have your third-party data-sharing practices changed?
  • Do you have a straightforward procedure for data breach notifications?
  • Have you updated information about international data transfers?
  • Have all relevant departments (e.g., Legal, HR, IT) reviewed the changes?

Best practices for updating privacy policies

Follow these tips to ensure your privacy notices are clear, compliant, and user-friendly:

  • Use plain language — Write in plain English to make your privacy notice understandable for everyone, including non-experts. Avoid legal jargon and aim for concise, straightforward language.
  • Be transparent — Be honest about your data practices. Clearly explain what data you collect, why you collect it, and how you use it. Avoid vague statements that might confuse your audience.
  • Review regularly — Establish a regular review schedule, especially after significant changes to your data processing activities or following updates in legal requirements. Most experts advise conducting reviews at least annually.
  • Provide clear guidance for exercising rights — Make it simple for individuals to exercise their rights. Include easy-to-follow instructions and relevant contact details.
  • Communicate changes effectively — When you update your privacy notice, inform stakeholders through multiple channels, such as email updates, website notifications, or internal messages.

Actions you can take next

Updating your privacy policies is more than a legal requirement; it’s vital to showing your commitment to data protection and maintaining trust with your stakeholders. By carefully reviewing your data practices, using plain language, and communicating changes clearly, your organisation can ensure compliance and demonstrate transparency. You should: