Skip to content
LegalVision UK

3 Common Mistakes to Avoid in Your Privacy Policy

Avatar photo

By Sej Lamba

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

A privacy policy is a crucial document to help comply with mandatory legal rules under the UK data protection law regime. Your organisation should use a privacy policy to inform individuals about how and why you will use their personal data if you act as a data controller. However, privacy policies can be lengthy and complicated documents that organisations struggle with. This article will explore some common mistakes to avoid in your privacy policy document or documents.  

Why is Privacy Information Important?

In the United Kingdom, the UK General Data Protection Regulation (‘UK GDPR’) is the law that governs the use of personal data.  

Personal data is any data relating to a living individual who can be identified directly or indirectly from it. For example, personal data includes: 

  • addresses; 
  • names; and 
  • surnames.

A data controller is an organisation that determines the purposes and means for processing personal data. One of the most fundamental obligations for data controllers to follow under the UK GDPR is to give individuals various information when controllers collect personal data from them. 

What is a Privacy Policy?

Transparency around the use of personal data is vital under the UK GDPR rules. A privacy policy is the most common way for a data controller to tell individuals about the personal data the controller processes about them. A privacy policy is a document that explains how and why you use an individual’s personal data.

You need to clearly display your privacy policy when you collect an individual’s data. In your privacy policy, you will need to include:

  • what personal data your organisation collects from individuals; 
  • the purposes for which you will use an individual’s personal data;
  • how long your organisation will keep personal data; 
  • who your organisation will share personal data with; 
  • whether your organisation sends any personal data outside of the UK; 
  • which measures do you have in place to keep personal data safe and secure; and
  • information about the data subject rights available to individuals, including the right to a subject access request. 

The full details of the information you must provide are in Article 13 and Article 14 of the UK GDPR. The information you need to provide depends on whether your organisation collects personal data from an individual directly or through another source who is not the data subject.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Are Common Mistakes to Avoid in a Privacy Policy?

Here are some common mistakes in privacy policies that you should avoid:

1. Does Your Privacy Policy Specify the Types of Data You Collect?

A lot of privacy policies are very vague and generic. However, it is essential that it explicitly lists each type of personal data your organisation collects. 

For example, you should specify all types of personal data you collect from individuals, such as:

  • identity data, including names, genders and dates of birth; 
  • contact information data, including email addresses and telephone numbers; and
  • financial data, including bank card details.

A vague and generic privacy policy will not be UK GDPR compliant, as it will fail to correctly inform individuals about what personal data you collect from them. You must ensure that this information is as detailed and comprehensive as possible. 

2. Does Your Privacy Policy Include All Mandatory Information?

The UK GDPR sets out rules on a range of mandatory information individuals should receive when their personal data is processed. This is not optional. For example, a privacy policy may cover the basic information an organisation collects but fail to include information about:

  • which third parties the organisation shares personal data with, such as third-party suppliers and group companies;
  • information about data retention and how long the organisation keeps personal data; or
  • the lawful basis the organisation relies upon to process an individual’s personal data. 

3. Does Your Privacy Policy Address International Transfers of Personal Data?

Transferring personal data to countries outside the UK is generally forbidden unless you can rely upon a valid exemption under the UK GDPR rules. This is because transferring personal data to countries located outside of the UK could potentially put an individual’s personal data at risk. 

If your organisation does transfer personal data to any country outside of the UK, you must disclose this in your privacy policy. Individuals should be able to clearly see:

  • where you will transfer their data to;
  • whether those countries are deemed ‘adequate’ by the UK data protection regulator; or 
  • if you have put additional safeguards in place to secure their data. 

Businesses often neglect or ignore this, for example, because they are unaware of these rules or find it challenging to understand all of the countries to which they will send personal data. 

However, it is vital that your privacy policy correctly lists the specific countries to which you will transfer personal data. You should remember this when working with international service providers who may access personal data your business controls.

Why is it Important to Avoid Mistakes in a Privacy Policy?

The UK ICO, the data protection regulator, can impose several penalties for non-compliance with the UK GDPR rules. These penalties include hefty fines and prosecution. Often, a privacy policy is a public-facing document. As such, both customers and regulators can check if it is compliant. 

You should ensure that your organisation works hard to comply with the UK GDPR rules and that your privacy policies are accurate and comply with the mandatory requirements.

Data protection laws are also fast changing – for example, there have been several recent developments in rules around international data transfers, particularly after Brexit. If you are unsure whether your privacy policy complies with the UK GDPR, you can work with an experienced data protection lawyer to ensure your documents are correct. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Takeaways

A privacy policy is a crucial document for UK GDPR compliance. However, privacy policies are subject to stringent legal rules and need careful attention. Several businesses struggle with their privacy policies, and common mistakes include a lack of specific detail about the personal data organisations process and missing mandatory information. 

If you need help with a privacy policy, our experienced privacy lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Preventing Employee Competitors: How to Protect Your Business

Online
Learn how to protect your business from employee competitors. Register for our free webinar today.
Register Now

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

| View profile

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

4 Common Challenges Your Company Will Face With the GDPR in the UK

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards