Skip to content

When Should Businesses Update Their Privacy Policies?

Table of Contents

If you act as a data controller when processing personal data, a privacy policy is essential for UK General Data Protection Regulation (UK GDPR) compliance. When drafting your privacy policy, you must ensure it complies with the relevant data protection law rules. However, you cannot simply publish or issue your privacy policy and then forget about it. You may need to review and update your privacy policy at various stages in accordance with the law. This article will explore the circumstances in which you may need to update your privacy policy. 

Why is a Privacy Policy Important for UK GDPR Compliance?

The principle of transparency is essential under the UK GDPR rules. If you act as a data controller, you must provide transparent information to individuals from whom you collect personal data. 

A data controller is an organisation that decides the purposes and means for processing personal data.

Personal data means any data related to a living individual who can be identified directly or indirectly from it. For example, personal data includes:

  • names; 
  • email addresses; and 
  • photographs of individuals. 

You need to provide individuals with clear and transparent information about the personal data you collect from them and why. Businesses commonly comply with this requirement by publishing or issuing a detailed privacy policy document.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

What Should a Privacy Policy Contain?

A privacy policy identifies vital information about how a data controller processes personal data. A privacy policy needs to include a range of specific information, including:

  • a complete list of all of the types of personal data you collect, such as names, email addresses, telephone numbers, and dates of birth; 
  • the reasons for which you will use personal data, such as to perform a contract you have with a data subject; 
  • details about how you secure personal data;
  • information about whom you share personal data with and whether you transfer personal data to any countries located outside of the United Kingdom; and 
  • information about data subject rights. 

You should refer to Article 13 and Article 14 of the UK GDPR for a list of all the information a privacy policy needs to include.

You may issue different types of privacy policies to customers and suppliers. You must provide your privacy policy at the point when personal data is collected. 

Why Do Businesses Need to Update Their Privacy Policies?

You need to provide individuals with a range of information when you collect personal data from them. You must also inform individuals if there are any changes to the information you initially provided. 

If you intend to use a data subject’s information for different purposes, for example, you must inform them before you carry out further processing activities. 

You need to provide this information clearly and transparently. This means you need to update any relevant privacy policies. You must also notify affected data subjects about the changes made to ensure they are fully informed. 

There are several consequences for failing to comply with the UK GDPR rules, including heavy fines. As such, you should fully understand how you use personal data, monitor your data processing activities and ensure your privacy policies are fully up-to-date and correct.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

When Should Businesses Update Their Privacy Policies?

You should regularly review your privacy policies to check whether the information in them is accurate and up to date. It is a good idea to set specific times to review your privacy policies, for example, every few months and at least annually. 

You may also need to update your privacy policies if there is a change in law. For example, there have been various changes in international data transfer laws after Brexit. Privacy policies need to be updated to reflect these changes. 

Here are some examples of the stages at which you may need to review and update your privacy policies:

Collecting New Types of Personal DataIt is common for organisations to launch new products or services. This may include collecting new types of personal data. For example, if you launch a service for consumer customers, you may start to collect personal data from individuals. You must review and update your customer privacy policy to set out any new types of personal data you collect and why. 
Changing the Way You Process Personal Data If you change how you use personal data, you must update your privacy policies accordingly. For example, you may begin to work with new suppliers with whom you will share personal data. 

Alternatively, you might engage a supplier located outside the United Kingdom. In this case, you must update your privacy policies to reflect that you work with new data sub-processors and that you transfer personal data to countries located outside of the United Kingdom.
Changing the Purposes for Which You Use Personal Data If you need to use an individual’s personal data for a new purpose, you must tell them before doing so. For example, if you collected personal data from a customer simply to deliver their order but now want to use their data for other reasons. You must update your privacy policies to reflect the new purposes for using personal data. 

You should explain when your new privacy policies will come into force and provide contact details of whom individuals can reach out to with any questions.

Key Takeaways

As your business is likely a data controller, your privacy policy is crucial for UK GDPR compliance. You must tailor your privacy policy to explain how you process personal data. A privacy policy needs to be accurate and up-to-date at all times. Therefore, you may need to update your privacy policy at various stages. For example, where you begin to collect new types of personal data or seek to use personal data for new purposes. If you need advice on updating your privacy policy and how to do so, you can work with an experienced data protection lawyer to support you. 

If you need help reviewing or updating your privacy policies, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Preparing Your Business for Success in 2024

Ensure your business gets off to a successful start in 2024. Register for our free event today.

Spam, Cookies and Content: Legal Considerations When Leveraging Digital Marketing

Understand your business’ marketing legal obligations in the digital age. Register for our free webinar today.
See more webinars >

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times