Website privacy notice – why is it necessary?
Legal requirement: In the digital age, most businesses collect personal information through a website. This might be traffic data from website visitors, or simply when a potential customer enters information into a website form. If your website collects personal data it is a legal requirement to have a privacy notice (sometimes called a ‘fair processing notice’) posted on your website. UK data protection laws are no joke, and lack of compliance can result in hefty fines – so it’s important to use Docue’s privacy notice template to ensure compliance.
Required if controller: A business will need to have a privacy notice where it is a “controller” of personal data. A controller of personal data means they make decisions about how personal data will be used - website owners will usually be a controller of website visitors’ personal data.
Risks of getting it wrong! It is a legal requirement to give certain information to data subjects via a privacy notice. Failure to do so could have a huge impact on your business, both financially and reputationally:
- Reputational damage: Mismanaged data protection practices can lose the hard-earned trust of your customer base - having a privacy notice in place is an obvious way to demonstrate to others that you take their privacy seriously;
- Big fines: In the event of a non-compliance with data protection laws, your business could be exposed to multi-million-pound fines and legal action; and
- Regulatory investigations: Data subject complaints could lead to an ICO (the data protection regulator in the UK) investigation. Such an investigation would cause the ICO to look into your data protection practices and procedures in detail, and potentially take action where non-compliances are identified.
Find out more about privacy notices by reading this comprehensive guide.
What does a website privacy notice need to include?
Key content: This privacy notice template is considered to be a “transparency notice”, meaning that its main focus is to provide information to individuals. It explains how you gather, use, disclose and manage a customer's or visitor's data when they browse your website. The privacy notice template confirms what personal information is gathered by your site and how it is used, including the legal justification for its use – a particularly important consideration when complying with UK data protection laws.
Make sure it is compliant: To comply with the requirements of UK data protection laws, there are strict requirements that must be followed and a privacy notice must include the following information:
- Controller details - the identity and the contact details of the controller (which will usually be the website owner for a website privacy notice);
- Data protection officer (DPO) - if the company has a DPO, the contact details of the DPO must be included on the website privacy notice;
- Purpose and lawful basis - the purposes of the processing for which the personal data are intended as well as the legal basis for the processing (and where legitimate interests are relied upon as the lawful basis, details of the specific legitimate interests);
- Data sharing - details of the recipients or categories of recipients of the personal data, if any;
- International transfers - where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation, including reference to the appropriate or suitable safeguards being used for the transfer;
- Retention period - the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- Data subject rights - a privacy notice must tell data subjects what their rights are under data protection laws. This includes the right to request access to and rectification or erasure of personal data, the right to request the restriction of processing concerning the data subject or to object to processing, the right to data portability, the right to withdraw consent at any time and the right to lodge a complaint with the ICO; and
- Automated-decision making - if automated decision-making, including profiling, is being used by your company, you must tell data subjects about it in your privacy notice.
You can easily include all of the matters listed above (plus more!) in Docue’s dynamic privacy notice template. Find out more using this checklist.
How is a website privacy notice used?
Place on your website: A privacy notice is a legal requirement if you collect personal information from website visitors, and you will need to place this privacy notice somewhere accessible on your website. You should include this document on any websites under the control of your company or business. Find out other top tips for drafting and using your privacy notice here.
Keep up to date: Data protection laws are a rapidly changing area of law where there has been a lot of movement over recent years. Docue’s website privacy notice template will be constantly kept up to date to ensure it remains compliant. You should regularly check your privacy notice and update it where changes are required to comply with changes in the law.
What else do I need on my website?
Make sure you are cookie compliant too: Almost every website uses some form of cookies (which are tracking technologies). As cookies collect personal data, you are required to tell website visitors about the types of cookies that you use and also get their consent to cookies being used. For more information, please see Docue’s cookie notice template.
With Docue, you can create a top-quality privacy notice in minutes. The privacy notice template includes model clauses designed by data protection lawyers to help you draft the notice yourself and tailor it to your needs. And don’t worry if you get stuck along the way - Docue’s lawyer-drafted guidance notes are there to help you, with detailed guidance on each section and question.
Tags: privacy notice template, fair processing notice, transparency notice