Privacy notices – the good, the bad and the ugly

Woman looking at computer


With the ever-increasing importance of data protection, privacy notices are everywhere. Go on any website and you’ll find a privacy notice (or you should do!) Some are good, some are bad and some are just plain ugly.  The good ones are to-the-point and easy to read. The bad ones don’t give you much info on how the organisation is using your data and the ugly ones have too much legalese and read like contracts.


So, how do you write a privacy notice? Follow these tips:

Avoid vague language

– Words such as “may”, “might”, “often” and “most commonly” should be avoided. If you are doing something – you should say it. If you’re not, then you don’t need to mention it.

Be specific with your data retention policy

– Use accurate retention information in the privacy policy, instead of generalisations like “we only keep personal information for as long as necessary to fulfil the purposes it was collected for”. That sentence doesn’t tell anyone, anything.  So say how long you’re keeping the data for eg. “We are keeping your information for X days/months/years because …” and actually give the reason.

Ensure your policy is rooted in the UK GDPR

– Provide complete information on the purposes and lawful basis for each of those purposes. This is a bit complicated but, essentially, tell people why you are processing their data and use the correct legal basis from the UK GDPR.

Inform users whom their data is being shared with

 – Provide the recipients or categories of recipients of personal data to people. This should include processors like software providers and other recipients like group companies and government departments. If the recipients are not named, you should provide as much information as possible and be able to demonstrate why this is fair. This means that you have to tell people who you are sharing their data with.

Inform users where their data is being sent

– Tell people where their data is being processed and if you are transferring data outside of the UK. You have to tell people what country their data is being sent to, what the transfer safeguard is and whether there is an adequate level of protection for data in that country. This bit is a tad complex, so seek data protection expertise if necessary.

Why privacy notices are essential for every website

Privacy notices need to inform people of what you are doing with their data so that they have an informed choice of whether to give you their data or not. Remember, consent for marketing purposes should always be opt-in.

Looking for expert data protection advice?

Sapphire Consulting offers outsourced data protection expertise, and we are happy to help you with your privacy notices. Contact us for a free consultation to take the hassle out of writing a compliant privacy notice.

Share This

Share this post with your friends!

Share This

Share this post with your friends!