- Does my business need a privacy notice?
- What information do we need in our privacy notice?
- Do I need a cookie warning notice on my website?
- I've made a privacy notice. What now?
- Where do I put my privacy notice?
- Why does my business need a privacy notice?
- Do I need a privacy notice on my website?
- Do I need to pay a specialist to write a privacy notice?
- Can I monitor staff without their knowledge?
Yes. If your company holds personal data – which is generally any small business, charity or group that has information about people such as their names and email addresses – you’ll need a privacy notice.
There are very few situations when privacy information isn’t needed. Please contact us if you think you might be in one of those situations – we’re here to help.
The information you need to provide in your privacy notice includes:
- why you’re processing people’s personal data;
- how long you’ll be keeping it for; and
- who you’ll be sharing it with.
Everything you include in your privacy notice needs to be simple to read and easy for people to access. It also needs to be transparent, which will help those you do business with to trust you with their data.
Yes. Visitors to your website need to be told that cookies are being used, and what they do.
If the cookies aren’t strictly necessary to the running of your website, you’ll also need the user’s agreement to use them.
You should give your privacy notice to people when you first collect their personal details, and make sure it’s available to view if they want to see it at a later date. This helps to build trust. Whether it’s in a poster, a web page or a pop-up, the important thing is that people know where to find it. If you don’t get their details directly, let them know where they can find your privacy notice as soon as possible, and within one month.
You need to review your privacy notice regularly to make sure it’s up-to-date and proactively bring any changes to people's attention.
Whether you’ve made your own privacy notice from scratch or used our privacy notice template, you should make it freely available and easy to access by those whose personal data you collect, as soon as possible.
For example, Conor is a cake maker. When he takes enquiries from customers by email, he includes a link to his privacy notice in his reply, usually at the end as part of his signature. His voicemail includes the web address for where customers can find his privacy notice. Also, a link to his privacy notice is immediately visible on the contact form page on Conor’s website. This means people can see it before they start putting their details in to the contact form.
If you prefer, you could print some copies to hand out to people, or you can verbally tell them what you intend to do with their personal data. You don’t have to give people all the information in your privacy notice in one go, which could be time-consuming. Instead, you can briefly explain some of the key points when you collect the data and then let them know where they can find the full version.
For example, Penny is a physiotherapist, working in the private sector. She doesn’t have a website. She has a sign on display at her reception which says there are copies of her privacy notice available as printouts for customers to take away with them. She also attaches it to her appointment emails.
When speaking with new clients, Penny’s receptionist highlights that a privacy notice is available and tells clients how they can get a copy. She also lets the clients know that Penny may share their information with their GP or other medical professional if she believes it’s necessary to protect their health. The receptionist tells clients about this specific section as they may not be aware their data could be shared in this way.
If you’re unsure what to do in your situation, please contact us. We’re here to help.
Providing privacy information is one of the key requirements of the UK GDPR. Your privacy notice lets people know what you’re doing with their data. It gives them reassurance that you’ve thought about how you’ll keep it safe, whether you’ll share it with anyone else and what you’ll do with it when it’s no longer needed. This will do two important things for your business: it will help you to build trust with your clients and customers, and it will show the ICO that you take your data protection responsibilities seriously.
Data protection is everyone’s responsibility, so every business – however small – needs a privacy notice when processing people’s data.
This is because people have a right to know how you use their information before they decide to give it to you. If people don’t give you their details directly, but you get them from another company, you still have to let those people know within a month how you plan to use it. People care about their data so it makes good business sense to be proactive.
The YouTube video on this page uses YouTube’s privacy-enhanced mode and may set a cookie on your device. See our cookies page for more information.
Yes, you need a privacy notice on your website if that’s mainly how your clients and customers find you. If you don’t have a website, you could print some copies to hand out to people, or you can verbally tell them what you intend to do with their personal data.
The important thing is to tell people, in simple terms, what you’ll do with their data. This will help to make sure your relationships with your clients or customers are built on foundations of trust from the very beginning.
No, most small organisations – including small businesses, sole traders and small charities or groups – will be able to make their own privacy notice for free using our simple template.
We know that small organisations often don’t have the resources that larger organisations have to help them comply with data protection regulations. That’s why our SME web hub has lots of tools and resources to help you get started and check how you’re doing. You can also contact us if you need advice. We’re here to help.
Yes, in exceptional circumstances where telling them would defeat the point of the monitoring. For example, if you suspect they might be breaking the law. This should only be done as part of a specific investigation, and for a limited period of time. You must make your policies clear about when monitoring — covert or not — might take place.
You should also complete a data protection impact assessment before beginning any covert monitoring.