Privacy Policy
(UK GDPR)
Summary
This privacy policy template is client-facing data protection policy (or privacy notice), intended for general commercial organisations based in the UK. It is also intended to cover third parties whose personal data you may receive in the course of acting for a client. This template contains practical guidance and drafting notes. This template reflects information and transparency requirements in the UK General Data Protection Regulation (UK GDPR) and relevant guidance issued by the Information Commissioner's Office, supplemented by the European Data Protection Board (EDPB). Your privacy notice can be published on your website and attached to your terms and conditions, although you will also need to publish a separate cookie policy. This template is not intended as a vehicle for obtaining consent to process personal data or explicit consent for processing special category personal data. Any request for consent should be prominently drawn to the attention of the data subject, not buried in a lengthy privacy policy. So far as possible, this template identifies non-consent-based lawful grounds for processing. You may wish to change the title of this template to Privacy notice or Fair processing notice. This template is not sector-specific, and there is a separate privacy policy template for law firms and professional services providers. The title of this template adopts the term "privacy policy" rather than "data protection policy" for two reasons: • To distinguish it from the internal (employee-facing) policy –and– • In recognition of market practice ("privacy policy" appears to be the term adopted by many commercial and professional organisations for client-facing data protection policies) This template reflects relevant guidance, predominantly ICO Guidance—The right to be informed. The terms "privacy policy," "data protection policy," "privacy notice," and "data protection notice" are interchangeable. You can adopt whichever you prefer but we recommend that to promote clarity, you give your internal (employee-facing) policy a different title to your external (client-facing) policy. Key Guidance When Preparing a Privacy Policy This template reflects relevant guidance, predominantly: • ICO Guidance—The right to be informed • EDPB Guidance—WP 260: Guidelines on transparency How to Prepare This privacy notice should be tailored to reflect what personal data your organisation processes, why, and how. This will require an understanding of: • What personal data you hold • How you process this personal data • Your reasons for doing so • Where the personal data came from • Who you would share it with • Where personal data will be stored and for how long Which lawful ground you rely on for each type of processing • Where you rely on legitimate interests as your lawful ground for processing, what those legitimate interests are • What rights data subjects will have in relation to each type of processing • Whether you make solely-automated decisions about data subjects that have legal or similarly significant effects It is recommended that before drafting or reviewing this privacy notice you carry out a data mapping exercise to help answer the above questions. Transparency under the UK GDPR You must provide information: • In a concise, transparent, intelligible, and easily accessible template • Using clear and plain language, particularly if addressed to a child • In writing or by other means, including electronically (or orally, when requested by the data subject) • Free of charge See Articles 12(1) and 12(5) of Assimilated Regulation (EU) 2016/679, UK GDPR. Layering A layered approach to delivering privacy information typically consists of providing people with a short notice containing key information, such as the identity of the organisation and the way it uses the personal data. It may contain links that expand each section, revealing a second layer, or a single link to more detailed information. These can, in turn, contain links to further material that explains specific issues. See ICO Guidance—The right to be informed—How should we draft our privacy information? For additional GDPR resources, see General Data Protection Regulation (GDPR) Overview Resource Kit. For a full listing of key content that can be used by in-house counsel to develop, revise, and implement a company's employee and third-party-related policies, see In-House Company Policies Resource Kit. For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy.