Do I need a Privacy Policy?

Since the GDPR rules were brought into force in the UK, under the Data Protection Act 2018, it’s become mandatory for businesses to have a privacy policy. If you’re collecting personal data from individuals, (which means information by which you can identify someone, such as their name, address or email address), then you will need to have a privacy policy.

Most businesses with an online presence will need to make their privacy policies available online. Although in the past it was possible to take a very basic privacy policy, and use it for all types of business, these days it’s not really possible to do this. The reason is that the new GDPR rules require a business to give a lot more information about how they will be using the data that they are collecting from their users or customers.

The new rules brought in by the European Union have made data protection quite a lot more complicated. However, it’s still possible to boil down 90% of the rules and regulations into two basic principles. These are:

1) You’re allowed to use personal information collected from your customers if your use of the data is necessary for the purposes of carrying out the services you’re providing. In such a case, you don’t need the user’s consent to use their information for that purpose.

2) If you want to use your customer’s information for any other reason (which is not strictly necessary for the service you are providing) then you will need to get their consent.

A common application of these principles is that businesses are entitled to send email messages to their customers to tell them about new products or services they’re offering that might be of interest to them. However, they can no longer send the same customers the same type of information regarding products or services being offered by third parties, unless they first get their customer’s consent.

In addition, under the new GDPR rules, consent must be ‘explicit consent’. That means the individual must tick a box, or move a slider, or give some other explicit confirmation for their data to be used in a certain way. It’s no longer enough to rely on the passive acceptance of terms and conditions which simply state that the customers’ information could be used in this fashion. Now consent has to be actively given.