Can I Write My Own Privacy Policy UK?

Do you have a website or app that collects, uses, or processes personal data of EU (European Union) citizens? If yes, you’ll need a privacy policy to be made accessible to your customers and the public.

What should a privacy policy include?

A privacy policy, also called a privacy notice, is an agreement with your website/app users where your organization explains how it safeguards personal data that it gathers by applying data protection principles and the way it processes such data.

In the EU, Articles 12 to 14 of the GDPR give detailed instructions on what to keep in mind when writing a privacy policy. In the UK, the legislative requirements of the Data Protection Act 2018 also need to be adhered to.

Can I write my own privacy policy?

Many websites offer privacy policy templates that can be downloaded and tweaked to fit your needs. However, the privacy policy is a complex document that should adhere to the applicable laws.

Let’s take a look at what such a policy would include to understand the complexities involved. Here’re the key ones:

  1. The data you collect and the reason for it

There are various ways to collect data from your website/app users. It could be via

  • using page tagging techniques and cookies
  • collecting their email address and subscription preferences when they sign up for your weekly/daily news alerts or newsletter subscriptions, etc
  • the feedback they provide, or the questions they ask, or the complaints they post on your social media pages or the website/app
  • the way they use their emails (like if they open them or click on particular links)

Your privacy policy needs to clearly mention the specific ways you collect such personal data. Additionally, it should state why you need such data. For example, your privacy policy could mention personal data is collected to ensure the website/app is meeting the target users’ needs, to improve certain aspects like site search and user navigation, or to monitor the site/app use to identify and mitigate security threats, etc.

  • What you do with the data

From the way you process the data you have collected to the steps you take at every stage of such processing to not selling or renting such data to third parties, your privacy policy has to make it clear what you intend to do or actually do with the data. It should also mention how you store such data and if it’s transferred outside the EEA (European Economic Area) for processing.

  • How long you store the data

Different organisations may have different timelines to store the collected data. The duration may even depend on the type of data (feedback, email data, etc.) or the purposes for which they’re collected. How long you store the data collected by your website/app needs to be mentioned in your privacy policy. 

  • Data protection measures you take

Your privacy policy needs to state the type of systems and processes you have set up to prevent inadvertent disclosure of data or its unauthorised access. Thus, if your website/app uses different levels of data encryption, it needs to be mentioned in the privacy policy. Additionally, it needs to be stated that you ensure any third parties you deal with keep all personal data of your users or customers that they process on your behalf secure.

  • The rights of the users and/or customers

 Your users and/or customers usually have the right to ask for:

  • a copy of their personal data stored with you
  • information about how you process their personal data
  • immediate correction of any inaccuracy in their personal data

Additionally, they can

  • ask their personal data be erased if storing it is no longer justified
  • object to how you process their personal data
  • request that their personal data is processed in a restricted manner under specific circumstances

If you need help writing your privacy policy or need advice about whether to hire a lawyer or take the DIY route, contact us today! 

Scroll to Top