Under UK GDPR, if you collect any personal information about your customers, then a privacy policy, aka a privacy notice, is a legal requirement for any UK business and their website.
Personal information is any data which could be used to identify an individual personally. Personal information includes their name, email address, home address and telephone number. These are commonly collected through enquiry forms on your website. Other information that could be considered personal information includes age, sex, religion and date of birth. Something often overlooked is the IP address of the computer the user uses to contact you. An IP address is a unique identifier on the internet which could be used to trace a user. An IP address is also considered personal information.
The privacy policy needs to inform your customers of:
The purpose of UK GDPR is to make it transparent to customers what you are collecting, why you are collecting it and what you will do with it.
UK GDPR states that you can only collect personal information required to deliver the services the customer is signing up for. So if a customer is purchasing a product from you and you need to email them a receipt, collecting their email address is a valid business reason.
However, if the product being sold does not have any age restrictions associated with it, then asking for the customers' age is illegal as you do not have a valid business reason to ask for it.
As a privacy document is a legal requirement, you can engage the services of your lawyers to create a privacy policy for you. However, this is likely to be an expensive exercise and often unnecessary.
The best way to generate a compliant privacy policy for the UK market is to use a UK privacy policy generator such as the one from Termageddon.
Termageddon has been crafted by lawyers specialising in privacy law. It will walk you through a series of questions about the personal information you collect and how you process it. Once completed, you will have a UK compliant privacy policy. But, if you deal with customers from multiple countries, Termageddon will develop a privacy policy that caters to regulations from many leading nations including the UK, USA, Canada and Australia.
The great thing about Termageddon is that if the privacy laws change, your policy will automatically update to reflect the current privacy regulations. Even without changing regulations, if your business changes, you can modify your Termageddon policy as often as you want.
You may have seen free templates for privacy policies on the internet. While these may be suitable for some, for most, you should tread cautiously:
The answer is almost certainly yes. If you collect a single piece of personal information about your customers, i.e. their name, then you need a privacy policy. Otherwise, you will be in breach of UK GDPR, which carries fines of up to 4% of turnover (note, turnover, not profit).
You must display the privacy policy in a clear line of sight of your customers; it must not be hidden away. If you have a website, most privacy policies are linked to from the footer of your site so that any prospective customers can easily view them.
In the unlikely event that you do not have a website, then you could consider printing out the policy and handing it to your customers.
You can view the privacy policy of Web X Design Studio here, or by clicking the link in the footer. This is an example of a policy that covers multiple territories as we have customers in the UK and the USA.
Web X Design Studio is a reseller of the Termageddon privacy policy generator. For only £75 (that's cheaper than going to Termageddon direct!), you can create a privacy policy tailored to your company's specific needs. Whilst it is a simple and intuitive questionnaire, if you need guidance in completing the questions, all purchases come with a free 30-minute consultation. (note that while we've dealt with privacy issues for more than seven years, we are not lawyers, so any advice has to be taken as guidance only).
