General privacy notice
What's a general privacy notice, and when do you need it?
This is a general privacy notice and it is compliant with the new UK data protection laws (the General Data Protection Regulation, the GDPR) in force from 25 May 2018. The notice informs individuals (with whom you may do business or interact with in a business environment) about how you collect, handle, store and potentially also share, their personal data, as well as the rights that they have in relation to your activities, under the UK's data protection law.
Not all parts of the notice will be applicable to all businesses and our experts recommend that you take legal advice in relation to this and your wider data controlling activities within your business.
If you want a privacy notice for your website (which should also display one), then you should use our website privacy notice template.
The guidance notes to this template cover the position where you are or will be the data controller of the personal data and you are collecting data from the individual directly and where you may have obtained the personal data from a third party (i.e. not directly from the individual themselves) – because even where a third party acts for you, you will still need to get your privacy terms to that individual.
The practical suggestions built into the template will help you work out what's best and most logical for your particular circumstances, since you don't necessarily have to give a hard copy of the privacy notice to individuals, but you must make them aware of it and give them an easy way to access it.
What else might you need?
Before you draft your privacy notice, you should undertake a data mapping (or data audit) exercise in order to establish all the types of data which you hold, why you use them, the legal basis for using them and details of when that personal data is shared with other people or organisations.
For more information on data mapping/auditing, take a look at our guide: data handling rules and what the GDPR means for small businesses. Our GDPR – what you should be doing now guide and our 14-point GDPR checklist that accompanies it, are also very useful.
You also need to think about the layout of your privacy notice, especially if it is online. GDPR requires privacy notices to be transparent, easily understandable and concise. We've also included a number of suggestions proposed by the ICO and experts for who this might be achieved, although you will need to determine what is proportionate and compliant for your own business circumstances.
Privacy notices are commonly considered with websites only. In fact, you should have a general privacy notice, like this one, where you run more than a pure ecommerce business; and you should also have a privacy notice for your employees, explaining to them how you handle their personal data. You can use our data privacy notice for employees template for these purposes.