Table of Contents
For a data controller, a privacy policy is a crucial document you need to comply with the UK General Data Protection Regulation (UK GDPR) rules. A privacy policy informs individuals about the personal data you process about them and why. Depending on your business and how it collects personal data, you may find providing individuals with more than one privacy policy helpful. This article will explore when you require more than one privacy policy for your business in the United Kingdom.
What Is a Privacy Policy and Why Does It Matter?
Telling individuals about how you use their personal data is a vital principle of the UK GDPR privacy law rules.
Data controllers are organisations that decide how and why to use personal data. As a data controller, it is crucial to inform individuals about how you will process their personal data. For instance, you must tell them how and why you intend to use their telephone number, email address, or other contact information.
Under the UK GDPR, personal data has an extensive meaning and can include all sorts of information that could identify an individual. As such, most organisations will collect and process some form of personal data as a data controller.
By implementing comprehensive and transparent privacy policies, your business can demonstrate its compliance with the UK GDPR transparency rules and privacy laws.
What Information Should a Privacy Policy Typically Cover?
A privacy policy needs to lay out a range of information.
For instance, some of the information your privacy policy should cover includes:
- comprehensive information about the types of personal data you collect (e.g. contact details, names, postal address, and bank details);
- your purposes and the lawful basis for processing personal data;
- information around data security and retention periods;
- data sharing information, stating which third parties you share data with and whether you transfer data outside of the UK; and
- clear information about data subjects’ rights and the right to complain to the data protection regulator.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Do I Need More Than One Privacy Policy?
The answer will differ from business to business and depend on your personal data processing activities. It also depends on how you wish to present the information to individuals.
If you operate multiple websites, you may need a separate privacy policy for each. Similarly, having a separate mobile application may warrant a unique privacy policy for the app.
You also need to consider whether you collect personal data from distinct groups of individuals at different points. If you use their data in various ways, each group may require different privacy information.
The essential purpose of a privacy policy is to provide individuals with clear information about intended data processing. A privacy policy should be clear, easy to understand and visible before you collect personal data. As such, different privacy policies can help your business meet its compliance obligations.
Practical Examples
Suppose you are a famous brand manufacturing merchandise sold to end-user consumers and business resellers. Your business may collect personal data from a range of sources, for instance:
- you may have a business-to-business website on which you collect limited personal data from potential business partners via a ‘Contact Us’ form—for example, names, email addresses, and IP addresses;
- you may also have a consumer-facing e-commerce website, where consumers provide various personal information so you can sell products to them;
- you might also have a mobile app for children to play games. Children may need to input specific personal data to register to use the app; or
- some business customers may also simply walk into your physical shop to sign contracts with you, and you may collect their personal data in person.
These are different instances in which you can collect personal data from various types of data subjects and for different purposes.
As such, you may find preparing different privacy policies for each group of individuals easier and more transparent.
Scenarios Justifying Different Privacy Policies
For example, you could prepare:
- a simple privacy policy for business customers entering your shop and providing their data or calling you up to provide their data;
- a more detailed website privacy policy for business customers contacting you through your business website, whereby you will collect various technical data about their devices;
- a more detailed website privacy policy for consumers purchasing e-commerce products on your consumer website; and
- a child-friendly privacy policy for children using the app using child-friendly language.
Issuing separate privacy policies can allow you to tailor each policy to the relevant audience and help you present information clearly to avoid potential confusion.
You should also consider at what points you interact and collect data from individuals. For instance, business customers who give you their personal data at your physical shop are unlikely to see your website’s privacy policy. You are more likely to prove you informed them of their privacy rights if you issue them a physical privacy notice before you note down their details at your shop.
Are Separate Privacy Policies Mandatory?
Technically, it is not mandatory to have separate privacy policies. For instance, you could choose to have one ‘global’ privacy policy, which applies to all individuals from whom you collect personal data. For example, one policy which explains how your business collects data from multiple groups of individuals in different ways. However, such a notice could become lengthy and confusing for individuals to understand. Note that your privacy policies need to be clear and accessible, and individuals should be able to understand them easily.
This factsheet sets out how your business can become GDPR compliant.
If you need advice on whether you need more than one privacy policy, an experienced data protection lawyer can help. A lawyer can review your points of data collection and identify whether your business should issue more than one privacy policy or if a global policy is suitable.
Key Takeaways
A privacy policy is a crucial UK GDPR compliance document that informs individuals about how you will process their personal data. If you collect personal data from different groups of individuals or via different means, you should consider whether you should implement more than one privacy policy. For example, a mobile app privacy policy aimed at children will look very different to a website privacy policy tailored towards sophisticated business customers. Whilst not mandatory, using more than one privacy policy can allow you to provide precise and tailored information to different groups of individuals. If you need support understanding how your business should present privacy information, you should take legal advice.
If you need advice on your privacy policies, LegalVision’s experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.