When I interact with a website, I always look at the privacy policy, a bit sad, I know but it tells me a lot about a business and their attitude to privacy. A privacy policy should include certain information to meet the requirements of data protection.

My daughter recently wanted to buy some clothing from a large retailer. Their privacy policy was poor and had not been updated as a result of GDPR which highlighted that they probably weren’t taking their responsibilities seriously.

If you have a website you should have a privacy policy setting out how you use the personal information collected as part of the individuals use of the website. This should be straightforward information and should be in easy to understand language. It does have to include certain information such as:


  • The details of the organisation (company name and contact details)
  • What data is being collected
  • How that data is being collected
  • How the data collected will be used
  • Legal basis for processing the data
  • How the data will be stored
  • How the data will be used for marketing
  • The existence of the individuals data protection rights
  • Any use of cookies on the website
  • How cookies are used and the type of cookies in use
  • How an individual can manage the cookies on the website
  • Links to other websites and the privacy of these websites
  • How changes to the privacy policy will be made
  • Date of the privacy policy
  • The right to contact the supervisory body which in the Uk is the Information Commissioners Office.

If your privacy policy doesn’t meet the requirements, now is the time to revisit it and amend it to include the necessary information.