- Does my business need a privacy notice?
- What information do we need in our privacy notice?
- Do I need a cookie warning notice on my website?
- I've made a privacy notice. What now?
Yes. If your company holds personal data – which is generally any small business, charity or group that has information about people such as their names and email addresses – you’ll need a privacy notice.
There are very few situations when privacy information isn’t needed. Please contact us if you think you might be in one of those situations – we’re here to help.
The information you need to provide in your privacy notice includes:
- why you’re processing people’s personal data;
- how long you’ll be keeping it for; and
- who you’ll be sharing it with.
Everything you include in your privacy notice needs to be simple to read and easy for people to access. It also needs to be transparent, which will help those you do business with to trust you with their data.
Yes. Visitors to your website need to be told that cookies are being used, and what they do.
If the cookies aren’t strictly necessary to the running of your website, you’ll also need the user’s agreement to use them.
Whether you’ve made your own privacy notice from scratch or used our privacy notice template, you should make it available and easy to access by those whose personal data you collect, as soon as possible.
You should give your privacy notice to people when you first collect their personal details. If you don’t get their details directly, let them know where they can find your privacy notice as soon as possible, and within one month. If you have a website, that’s a good place for it.
For example, Carl is a cake maker. When he takes enquiries from customers by email, he tells them as part of his reply what information he’s collecting and why, and where to find his privacy notice on his website. Carl also puts a link to his privacy notice in all his emails, usually at the end as part of his signature. His voicemail includes the web address for where customers can find his privacy notice and if people visit the contact form page on Carl’s website, a link to his privacy notice is immediately visible, so that people can see it before they start putting their details in to the contact form.
If you prefer, you could print some copies to hand out to people, or you can verbally tell them what you intend to do with their personal data.
You don’t have to give people all the information in your privacy notice in one go, which could be time-consuming. Instead, you can briefly explain some of the key points when you collect the data and then let them know where they can find the full version.
For example, Penny is a physiotherapist. She doesn’t have a website. She has a sign on display at her reception which says there are copies of her privacy notice available as printouts for customers to take away with them. When clients first visit in person, Penny’s receptionist shows the notice to people and tells them the key points, such as what personal data they need to collect and why. The receptionist also provides a summary of the customer’s data protection rights before asking them to fill out a registration form to receive physiotherapy treatment.
If customers call to book a first-time appointment, Penny’s receptionist describes the key points of the privacy notice by phone before they’re asked to share any personal details.
If you’re unsure what to do in your situation, please contact us.