Table of Contents
If you act as a data controller when processing personal data, a privacy policy is essential for UK General Data Protection Regulation (UK GDPR) compliance. When drafting your privacy policy, you must ensure it complies with the relevant data protection law rules. However, you cannot simply publish or issue your privacy policy and then forget about it. You may need to review and update your privacy policy at various stages in accordance with the law. This article will explore the circumstances in which you may need to update your privacy policy.
Why is a Privacy Policy Important for UK GDPR Compliance?
The principle of transparency is essential under the UK GDPR rules. If you act as a data controller, you must provide transparent information to individuals from whom you collect personal data.
Personal data means any data related to a living individual who can be identified directly or indirectly from it. For example, personal data includes:
- names;
- email addresses; and
- photographs of individuals.
You need to provide individuals with clear and transparent information about the personal data you collect from them and why. Businesses commonly comply with this requirement by publishing or issuing a detailed privacy policy document.
This factsheet sets out how your business can become GDPR compliant.
What Should a Privacy Policy Contain?
A privacy policy identifies vital information about how a data controller processes personal data. A privacy policy needs to include a range of specific information, including:
- a complete list of all of the types of personal data you collect, such as names, email addresses, telephone numbers, and dates of birth;
- the reasons for which you will use personal data, such as to perform a contract you have with a data subject;
- details about how you secure personal data;
- information about whom you share personal data with and whether you transfer personal data to any countries located outside of the United Kingdom; and
- information about data subject rights.
You may issue different types of privacy policies to customers and suppliers. You must provide your privacy policy at the point when personal data is collected.
Why Do Businesses Need to Update Their Privacy Policies?
You need to provide individuals with a range of information when you collect personal data from them. You must also inform individuals if there are any changes to the information you initially provided.
If you intend to use a data subject’s information for different purposes, for example, you must inform them before you carry out further processing activities.
You need to provide this information clearly and transparently. This means you need to update any relevant privacy policies. You must also notify affected data subjects about the changes made to ensure they are fully informed.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
When Should Businesses Update Their Privacy Policies?
You should regularly review your privacy policies to check whether the information in them is accurate and up to date. It is a good idea to set specific times to review your privacy policies, for example, every few months and at least annually.
You may also need to update your privacy policies if there is a change in law. For example, there have been various changes in international data transfer laws after Brexit. Privacy policies need to be updated to reflect these changes.
Here are some examples of the stages at which you may need to review and update your privacy policies:
Example | Explanation |
Collecting New Types of Personal Data | It is common for organisations to launch new products or services. This may include collecting new types of personal data. For example, if you launch a service for consumer customers, you may start to collect personal data from individuals. You must review and update your customer privacy policy to set out any new types of personal data you collect and why. |
Changing the Way You Process Personal Data | If you change how you use personal data, you must update your privacy policies accordingly. For example, you may begin to work with new suppliers with whom you will share personal data. Alternatively, you might engage a supplier located outside the United Kingdom. In this case, you must update your privacy policies to reflect that you work with new data sub-processors and that you transfer personal data to countries located outside of the United Kingdom. |
Changing the Purposes for Which You Use Personal Data | If you need to use an individual’s personal data for a new purpose, you must tell them before doing so. For example, if you collected personal data from a customer simply to deliver their order but now want to use their data for other reasons. You must update your privacy policies to reflect the new purposes for using personal data. You should explain when your new privacy policies will come into force and provide contact details of whom individuals can reach out to with any questions. |
Key Takeaways
As your business is likely a data controller, your privacy policy is crucial for UK GDPR compliance. You must tailor your privacy policy to explain how you process personal data. A privacy policy needs to be accurate and up-to-date at all times. Therefore, you may need to update your privacy policy at various stages. For example, where you begin to collect new types of personal data or seek to use personal data for new purposes. If you need advice on updating your privacy policy and how to do so, you can work with an experienced data protection lawyer to support you.
If you need help reviewing or updating your privacy policies, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.