The ICO exists to empower you through information.

February 2024

Almost all small businesses have personal information about their customers or others they deal with, such as contact details, CCTV footage, or more sensitive information. People trust you with their information. Having an accurate privacy notice lets them know why you have it, what you do with it and how they can access it. It shows you respect their information rights, and it’s a key requirement under the UK GDPR for most organisations. 

Read how we helped Richard, General Manager of The Loch Rannoch Highland Club, with their privacy notice. We hope it encourages you to review your own privacy notice or put one in place. You can use the quick and easy privacy notice generator, or speak to us if you need to.

What help were The Loch Rannoch Highland Club looking for?

The club, based in Scotland, is the first timeshare resort in the UK and it’s owned and managed by its members. They have a range of people’s information, such as employee records, member, and payment details, and booking details from renters which are processed via a secure site

They understood the need to be transparent with people about their information, but wanted advice about how, and some peace of mind that their existing practices were compliant.

How did we support Richard and The Loch Rannoch Highland Club?

One of our data protection specialists, Syed Ali, carried out an advisory check-up with Richard. The club already had a privacy notice on their website and Syed and Richard worked together to make sure it was accurate.

Here’s some of the areas they covered:

Occasionally, the club receives requests from people asking for the information the business has about them (a subject access request or SAR).

The club wanted to make sure their privacy notice made the process clear.

We shared information from our helpful guide to SARs, including response timescales for different types of requests, and that a fee can’t usually be charged.

We also advised Richard to train more than one staff member on how to spot and respond to SARs, to make sure they handle requests as quickly and easily as possible.


In specific circumstances, club members may need to hand a lodge back, and the club collect information from them in case they want to do this.

The club needed help to identify the lawful basis they rely on to collect this data. We worked through our lawful basis interactive tool with Richard.

We advised Richard that the lawful basis they rely on must be identified, recorded and reflected in their privacy policy.


The club also wanted guidance on their process for handling data related complaints, should they receive them, and to understand if details needed to be in their privacy notice.

We shared information from our guide to handling complaints which helped them improve their internal procedure.

We also clarified they must include details in their privacy notice, for transparency, and so people understand how to make a data protection complaint to the ICO if The Loch Rannoch Highland Club were unable to resolve it first.


Richard, the club’s General Manager told us:

The updates to our privacy policy will make it much easier for our members and customers to see what information we hold about them and how we use it. It's good for business too because it shows people we’re a transparent company they can trust. 

The ICO have lots of really useful advice on their website to help with privacy notices. You don’t have to just copy and paste one from another website which might not be right for your business.

If you’ve any doubts you can call and speak to them, there’s no harsh criticism, their service is very encouraging and helps put you on the right path.”

We would like to thank The Loch Rannoch Highland Club and Richard for proactively engaging with us to improve their data protection processes, and for allowing us to share this case study.

Create a bespoke privacy notice in under 15 minutes using our quick and easy privacy notice generator, or check if your existing one is compliant.