Privacy Policy
(UK GDPR)
Summary
This privacy policy template is an external (customer-facing) data protection policy (or privacy notice), intended for general commercial organisations based in the UK. It reflects information and transparency requirements in the UK General Data Protection Regulation (UK GDPR) and relevant guidance issued by the Information Commissioner's Office and European Data Protection Board (EDPB). This template contains practical guidance and drafting notes. This template can be attached to your terms and conditions and/or published on your website, although you will also need to publish a separate cookies policy. This template is not intended as a vehicle for obtaining consent to the processing of personal data. Any request for consent should be prominently drawn to the attention of the data subject, not buried in a lengthy privacy policy. So far as possible, this template identifies non-consent-based lawful grounds for processing. You may wish to change the title of this template to Privacy notice or Fair processing notice. This template is not sector-specific, and there is a separate privacy policy template for law firms and professional services providers. The title of this template adopts the term "privacy policy" rather than "data protection policy" for two reasons: • To distinguish it from the internal (employee-facing) policy –and– • In recognition of common market practice ("privacy policy" appears to be the term adopted by many commercial and professional organisations for customer-facing data protection policies) The terms "privacy policy", "data protection policy", "privacy notice" and "data protection notice" are interchangeable. You can adopt whichever you prefer but we recommend that to promote clarity, you give your internal (employee-facing) policy a different title to your external (client-facing) policy. Key Guidance When Preparing a Privacy Policy This template reflects relevant guidance, predominantly: • ICO Guidance—The right to be informed • EDPB Guidance—WP 260: Guidelines on transparency According to the ICO, the EDPB guidelines are no longer directly relevant to the UK regime. However, they may still provide helpful guidance on certain issues. How to Prepare This privacy notice should be tailored to reflect what personal data your organisation processes, why, and how. This will require an understanding of: • What personal data you hold • How you process this personal data • Your reasons for doing so • Where the personal data came from • Who you would share it with • Where personal data will be stored and for how long Which lawful ground you rely on for each type of processing • Where you rely on legitimate interests as your lawful ground for processing, what those legitimate interests are • What rights data subjects will have in relation to each type of processing • Whether you make solely-automated decisions about data subjects that have legal or similarly significant effects It is recommended that before drafting or reviewing this privacy notice you carry out a data mapping exercise to help answer the above questions. Transparency under the UK GDPR You must provide information: • In a concise, transparent, intelligible, and easily accessible template • Using clear and plain language, particularly if addressed to a child • In writing or by other means, including electronically (or orally, when requested by the data subject) • Free of charge See Articles 12(1) and 12(5) of Assimiliated Regulation (EU) 2016/679, UK GDPR. Layering A layered approach to delivering privacy information typically consists of providing people with a short notice containing key information, such as the identity of the organisation and the way it uses the personal data. It may contain links that expand each section, revealing a second layer, or a single link to more detailed information. These can, in turn, contain links to further material that explains specific issues. See ICO Guidance—The right to be informed—How should we draft our privacy information? The ICO and the EDPB acknowledge that there is an is an inherent tension between the requirement to provide the comprehensive information and to do so in a concise, transparent, intelligible, and easily accessible manner. You should therefore consider the nature, circumstances, scope, and context of your processing activities and decide, within the legal requirements: • How to prioritise the information you must provide • What the appropriate levels of detail and methods for conveying the information are See ICO Guidance—The right to be informed—What methods can we use to provide privacy information? There will always be information that is likely to need to go into the top layer, such as who you are, what information you are collecting, and why you need it. What else goes into which layer will depend on the type of processing you undertake. The ICO considers that organisations have a degree of discretion as to what information they consider needs to go within each layer, based on their own knowledge of their processing. See the ICO's guide to the right to be informed, which discusses using a layered approach in the section: What methods can we use to provide privacy information to individuals? For additional GDPR resources, see General Data Protection Regulation (GDPR) Overview Resource Kit. For a full listing of key content that can be used by in-house counsel to develop, revise, and implement a company's employee and third-party-related policies, see In-House Company Policies Resource Kit. For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy.