Short answer: When writing a privacy policy, you must clearly and understandably explain how you handle personal data. Describe what data you collect, for what purposes, how long you store it, who you share it with, and how individuals can exercise their rights. Use plain language – not legal jargon – and make sure the information is easily accessible on your website.
What is a privacy policy?
A privacy policy is a legal document that outlines how a website, application, or organisation collects, uses, discloses, and protects the personal information of its users or customers. It serves as a transparency mechanism that helps to secure compliance by informing about your data practices. This guide outlines what you should include in your privacy policy. Need a privacy policy template? We’ve created one for you here.
Did you know that data leaks that include personal data lead to customer loss and impact on business sustainability?
Ponemon Institute
Why create a privacy policy?
Creating a privacy policy is essential for any website or business that collects personal information from users. Here are a few reasons why it is so important:
1. To meet legal requirements
Many jurisdictions require you to have a privacy policy. Even if a privacy policy is not specifically mentioned, drafting one is an easy way to meet many other legal requirements. For example, most regulations, like GDPR, say you must inform people how you collect, use, and protect users’ personal information.
2. To build customer trust
Trust has always been at the core of personal relationships, and its importance in business is becoming more and more evident. Think about how you can show your customers you value transparency, integrity, and security from the very first time you ask them to share data with you. Make it clear to people in your privacy policy that you are committed to protecting your customers’ privacy. This is a great way to connect with people and build your brand value.
3. To guard against misuse claims
A privacy policy can protect you from legal disputes or claims of misuse of personal information by outlining the terms and conditions under which user data is collected and processed. In the event of any legal dispute related to data privacy or security, a well-drafted privacy policy can serve as evidence of your commitment to data protection practices and thus, help protect you.
Stop the GDPR monster before it gets its hold of your personal data
Factors to consider
There is no one-size-fits-all privacy policy. Each company’s will be different, and should take into account the:
- Types and amount of data you collect
- Systems and services you use to process and store personal data
- People who see and handle the personal data
- Laws and regulations that apply to you
Make sure you have a thorough understanding of all of the above factors before you develop a privacy policy. Once you have a firm grasp of your company’s unique privacy needs, you can start to draft your policy.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
How to create a privacy policy
When you draw up your privacy policy, you should remember to mention the following:
1. The types of data you collect, how you collect it, and why
The first section of your policy should describe the purposes for which you collect personal data. To begin with, mention each type of data you collect; for example, profile data, behavioral data, etc. Then, explain why each type of data is collected.
2. How you process data and keep it safe
Explain how you process personal data. What security measures do you take to protect data? For example, user authentication, access controls, encrypted mails or other systems that can receive and handle personal data securely. Mention these in your policy.
3. User rights
GDPR gives individuals the right to access their own data. It’s a good idea to list these rights in your privacy policy. For instance, the right to correct inaccurate data, have their data erased, restrict processing of their data, receive their data in a portable format and transmit it to another controller, object to processing or to automated decision-making, and the right to withdraw consent where processing is based on consent.
4. Your contact info
Including your contact information builds trust and shows that you are ready to follow up on any inquiries about personal data. If you have a request portal, include a link to it with your contact information.
5. Tell them how to make a complaint
Article 13.2d of the GDPR says you should “…provide the data subject with the following further information necessary to ensure fair and transparent processing: …the right to lodge a complaint with a supervisory authority”. Tell people they have the right to file a complaint and direct them to the proper government agencies.
FAQ about privacy policies
1. Do all companies need a privacy policy?
Yes – if you process personal data, and most companies do, you must have one.
2. Does the policy need to be published on the website?
Yes, and it must be easy to find and understand.
3. Is it enough to copy a template from the internet?
No – it must be tailored to your company and your actual data processing practices.
Need help with your privacy policy?
Need help getting started with a privacy policy? In Safe Online, we have prepared a template for a privacy policy. It is free and you can download it here.
When you start filling in the privacy policy template, it’s essential to know what personal data you hold, how old it is, where it is stored, and who has access to it. That’s why we’ve developed a GDPR Risk Assessment that gives you clarity on which files, emails and images in your systems contain personal information.
Learn more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
