How to write a Privacy Notice
A good Privacy Notice is on every new organisation’s To Do list (and some established organisations too). It’s tempting to download a template off the internet and fill in the gaps but in reality doing this is a false economy.
First, it’s not that difficult to write your own bespoke Privacy Notice. The ICO provide clear guidance on how to do it, and unless you handle sensitive data or large volumes of data you shouldn’t find it too complex.
Second, for your organisation to process personal data, the data subjects (i.e. your customers/service users) must give informed consent. If you don’t make reasonable efforts to inform them (i.e. provide them with an accurate, compliant and easy to understand Privacy Notice), any agreement they give for you to process their data may be invalid.
So, how do you write a Privacy Notice that is accurate, compliant and easy to understand?
First, map out what data you process, how, and why. Start by using post-it notes to create a simple flow diagram.
Second, check that your processing meets the ICO's requirements and if it doesn’t, then change your processing so it does).
Third, write your Privacy Notice out in simple, clear, non-specialist language. You can use our suggested structure here to help with this.
If you would like to have a look at ‘one we made earlier’ to get you started, you can find a copy of our Privacy Notice here.
If you get stuck or are unsure about any part of the process, don’t be afraid to contact the ICO for support. They are very helpful and they want organisations to get it right in the first place, rather than penalise them if things go wrong.