Skip to content

3 Common Mistakes to Avoid in Your Privacy Policy

Table of Contents

A privacy policy is a crucial document to help comply with mandatory legal rules under the UK data protection law regime. Your organisation should use a privacy policy to inform individuals about how and why you will use their personal data if you act as a data controller. However, privacy policies can be lengthy and complicated documents that organisations struggle with. This article will explore some common mistakes to avoid in your privacy policy document or documents.  

Why is Privacy Information Important?

In the United Kingdom, the UK General Data Protection Regulation (‘UK GDPR’) is the law that governs the use of personal data.  

Personal data is any data relating to a living individual who can be identified directly or indirectly from it. For example, personal data includes: 

  • addresses; 
  • names; and 
  • surnames.

A data controller is an organisation that determines the purposes and means for processing personal data. One of the most fundamental obligations for data controllers to follow under the UK GDPR is to give individuals various information when controllers collect personal data from them. 

What is a Privacy Policy?

Transparency around the use of personal data is vital under the UK GDPR rules. A privacy policy is the most common way for a data controller to tell individuals about the personal data the controller processes about them. A privacy policy is a document that explains how and why you use an individual’s personal data.

You need to clearly display your privacy policy when you collect an individual’s data. In your privacy policy, you will need to include:

  • what personal data your organisation collects from individuals; 
  • the purposes for which you will use an individual’s personal data;
  • how long your organisation will keep personal data; 
  • who your organisation will share personal data with; 
  • whether your organisation sends any personal data outside of the UK; 
  • which measures do you have in place to keep personal data safe and secure; and
  • information about the data subject rights available to individuals, including the right to a subject access request. 

The full details of the information you must provide are in Article 13 and Article 14 of the UK GDPR. The information you need to provide depends on whether your organisation collects personal data from an individual directly or through another source who is not the data subject.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Are Common Mistakes to Avoid in a Privacy Policy?

Here are some common mistakes in privacy policies that you should avoid:

1. Does Your Privacy Policy Specify the Types of Data You Collect?

A lot of privacy policies are very vague and generic. However, it is essential that it explicitly lists each type of personal data your organisation collects. 

For example, you should specify all types of personal data you collect from individuals, such as:

  • identity data, including names, genders and dates of birth; 
  • contact information data, including email addresses and telephone numbers; and
  • financial data, including bank card details.

A vague and generic privacy policy will not be UK GDPR compliant, as it will fail to correctly inform individuals about what personal data you collect from them. You must ensure that this information is as detailed and comprehensive as possible. 

2. Does Your Privacy Policy Include All Mandatory Information?

The UK GDPR sets out rules on a range of mandatory information individuals should receive when their personal data is processed. This is not optional. For example, a privacy policy may cover the basic information an organisation collects but fail to include information about:

  • which third parties the organisation shares personal data with, such as third-party suppliers and group companies;
  • information about data retention and how long the organisation keeps personal data; or
  • the lawful basis the organisation relies upon to process an individual’s personal data. 

3. Does Your Privacy Policy Address International Transfers of Personal Data?

Transferring personal data to countries outside the UK is generally forbidden unless you can rely upon a valid exemption under the UK GDPR rules. This is because transferring personal data to countries located outside of the UK could potentially put an individual’s personal data at risk. 

If your organisation does transfer personal data to any country outside of the UK, you must disclose this in your privacy policy. Individuals should be able to clearly see:

  • where you will transfer their data to;
  • whether those countries are deemed ‘adequate’ by the UK data protection regulator; or 
  • if you have put additional safeguards in place to secure their data. 

Businesses often neglect or ignore this, for example, because they are unaware of these rules or find it challenging to understand all of the countries to which they will send personal data. 

However, it is vital that your privacy policy correctly lists the specific countries to which you will transfer personal data. You should remember this when working with international service providers who may access personal data your business controls.

Why is it Important to Avoid Mistakes in a Privacy Policy?

The UK ICO, the data protection regulator, can impose several penalties for non-compliance with the UK GDPR rules. These penalties include hefty fines and prosecution. Often, a privacy policy is a public-facing document. As such, both customers and regulators can check if it is compliant. 

You should ensure that your organisation works hard to comply with the UK GDPR rules and that your privacy policies are accurate and comply with the mandatory requirements.

Data protection laws are also fast changing – for example, there have been several recent developments in rules around international data transfers, particularly after Brexit. If you are unsure whether your privacy policy complies with the UK GDPR, you can work with an experienced data protection lawyer to ensure your documents are correct. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Takeaways

A privacy policy is a crucial document for UK GDPR compliance. However, privacy policies are subject to stringent legal rules and need careful attention. Several businesses struggle with their privacy policies, and common mistakes include a lack of specific detail about the personal data organisations process and missing mandatory information. 

If you need help with a privacy policy, our experienced privacy lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards