At present, the expectation is that the UK will leave the EU sometime in 2019. The EU General Data Protection Regulation (GDPR) is due to come into effect in 2018, to it is important to keep an eye on what changes are upcoming so you can work out how your organisation will tackle them.

The main idea behind creating a privacy policy is that you are being transparent about what data you are collecting about a person, who you are sharing it with and how you are using it. This gives your website users options about how they wish to engage with you. This can help build confidence between you and your customer.

That data may take many forms but some example would be:

  • collected (a user fills in a form, buys something using a loyalty card or account)
  • observed (on-site behaviour tracked by a cookie, geo location tracking)
  • recorded (and retaining calls made to a call centre)
  • derived (where multiple data sets are combined to help build a picture of your customer)

The code includes a privacy impact assessment to help you determine what the key action points for your organisation.

It also includes a thorough checklist of what to include in your privacy notice. They also provide some examples of good and bad practice to help you assess your existing policies.

We're not going to replicate everything here - just recommend that you all read the update. Doing this all properly may take a significant amount of time but it's worth doing.

There is a legal requirement to comply with the Data Protection Act. The Information Commissioner can take action against any company found to be in breach of the DPA. The maximum financial fine for non-compliance is £500,000 or an enforcement notice ordering an organisation to improve its privacy notice or stop the processing.