A privacy policy is your organization’s plan of action when it comes to privacy. This plan of action is something that is in writing, that you can operationalize and that has practical actions that you can take in your organization. It is a public facing document that is commonly placed in a prominent position on your website. It is probably the most read legal notice by visitors to your website because people really care about their privacy!

What goes into a privacy policy?

Essentially, a privacy policy should explain the lifecycle of personal information in your organization. It should explain how personal information is collected, processed and the purposes for processing that information. It should also describe the different classes of personal information that you process. There are different classes of personal information, such as special personal information (which include health or racial information) or specialized personal information such as account numbers. You need to tell people how you are storing their personal information and how they can update or delete it.

There are two sides to the personal information coin, one is protecting someone’s privacy and the other side is giving people access to information in appropriate circumstances. Your privacy policy should complement your access to information manual. Having these documents improves the reputation of your organization and makes you more trustworthy to your customers.

Why should you have a privacy policy?

A privacy policy is useful for your organization. It makes it clear what types of information you process and how you process that information. Privacy policies help create legitimate business relationships and they can operate as a means of obtaining consent from a data subject. The form of consent obtained from a privacy policy is rather one-sided and would probably be considered tacit consent. So, it isn’t the most robust form of consent. If you introduce a checkbox for a privacy policy and some form of verification of the person consenting then the consent becomes explicit and more robust. However, it isn’t a water-tight form of obtaining consent and you may need to rely on more complex mechanisms where you require explicit consent.

Privacy policies can be a form of tacit consent, but you shouldn’t rely on them alone where you need explicit consent to process personal information.

One way to think about data protection compliance, is that it is like a high-wire act in a circus. Lawful compliance is walking along the high-wire, however – you could fall off. It is important to have various safety nets in place. Your privacy policy is one of those safety nets. It is, at the very least, a general indication that your organization values privacy and is taking steps to protect it. It can be quite a general document. You don’t need to state every single type of personal information that you collect but rather state broad categories of information.

Another type of safety net for your high-wire act is consent. Many data protection requirements can be met if the organization obtains the data subject’s consent. It probably isn’t the best idea to rely on your privacy policy as the sole means of obtaining consent. The kind of consent you need is informed, explicit consent and so systems should be designed with this in mind. For example, if you are collecting someone’s health information – explain that you need their consent to collect this information to complete their medical insurance application.

Should I get a privacy policy if I have a small business?

Yes, privacy policies are an affordable and practical means of improving your relationship with customers. Privacy policies instil trust in your business and have considerable marketing value. They secure your reputation in the market as a reliable, lawful business that considers their customer’s privacy to be important and worth protecting.

  1. Check that your privacy policy is in line with the latest law by asking us to review it for you.
  2. Empower yourself with knowledge about privacy by attending a workshop.
  3. Obtain certainty by getting a legal opinion on a specific privacy issue facing your business.
  4. Start your data compliance journey by joining our data protection compliance programme.