Skip to main content

What is a privacy policy?

A privacy policy is a legal document that outlines how a website, application, or organisation collects, uses, discloses, and protects the personal information of its users or customers. It serves as a transparency mechanism, informing individuals about your data practices.

This guide outlines what you should include in your privacy policy so it meets the requirements set by compliance regulations.

Why create a privacy policy?

Creating a privacy policy is essential for any website or business that collects personal information from users. Here are a few reasons why it is so important:

1. To meet legal requirements
Many jurisdictions require you to have a privacy policy. Even if a privacy policy is not specifically mentioned, drafting one is an easy way to meet many other legal requirements. For example, most regulations, like GDPR, say you must inform people how you collect, use, and protect users’ personal information.

2. To build customer trust
Trust has always been at the core of personal relationships, and its importance in business is becoming more and more evident. Think about how you can show your customers you value transparency, integrity, and security from the very first time you ask them to share data with you. Make it clear to people in your privacy policy that you are committed to protecting your customers’ privacy. This is a great way to connect with people and build your brand value.

3. To guard against misuse claims
A privacy policy can protect you from legal disputes or claims of misuse of personal information by outlining the terms and conditions under which user data is collected and processed. In the event of any legal dispute related to data privacy or security, a well-drafted privacy policy can serve as evidence of your commitment to data protection practices and thus, help protect you.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

Factors to consider

There is no one-size-fits-all privacy policy. Each company’s will be different, and should take into account the:

  • Types and amount of data you collect
  • Systems and services you use to process and store personal data
  • People who see and handle the personal data
  • Laws and regulations that apply to you

Make sure you have a thorough understanding of all of the above factors before you develop a privacy policy. Once you have a firm grasp of your company’s unique privacy needs, you can start to draft your policy.

How to create a privacy policy

When you draw up your privacy policy, you should remember to mention the following:

1. The types of data you collect, how you collect it, and why
The first section of your policy should describe the purposes for which you collect personal data. To begin with, mention each type of data you collect; for example, profile data, behavioral data, etc. Then, explain why each type of data is collected.

2. How you process data and keep it safe
Explain how you process personal data. What security measures do you take to protect data? For example, user authentication, access controls, encrypted mails or other systems that can receive and handle personal data securely. Mention these in your policy.

3. User rights
GDPR gives individuals the right to access their own data. It’s a good idea to list these rights in your privacy policy. For instance, the right to correct inaccurate data, have their data erased, restrict processing of their data, receive their data in a portable format and transmit it to another controller, object to processing or to automated decision-making, and the right to withdraw consent where processing is based on consent.

4. Your contact info
Including your contact information builds trust and shows that you are ready to follow up on any inquiries about personal data. If you have a request portal, include a link to it with your contact information.

5. Tell them how to make a complaint
Article 13.2d of the GDPR says you should “…provide the data subject with the following further information necessary to ensure fair and transparent processing: …the right to lodge a complaint with a supervisory authority”.  Tell people they have the right to file a complaint and direct them to the proper government agencies.

Need help with your privacy policy?

Need help getting started with a privacy policy? In Safe Online, we have prepared a template for a privacy policy. It is free and you can download it here.

When you start filling in the privacy policy template, it is necessary to know what personal data you have, how old it is, where it is and who has access to it. Our Data Discovery tool DataMapper uses artificial intelligence to find files, emails and images with personal information in your systems.

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit