Should I Use a Privacy Policy Template Found Online?

For many companies, spending money on a solicitor to prepare a privacy policy may seem like an unnecessary expense, especially when there are templates and policy generators readily available online. For instance, the Information Commissioner’s Office (ICO) has a policy generator designed for many companies, spending money on a solicitor to prepare a privacy policy may seem like an to help small and medium sized businesses to prepare their policies. However, there are several issues that could arise from using a template privacy policy or a generator, which may result in a privacy policy that is not compliant with data protection legislation. The risks of non-compliance are significant: the ICO has the authority to impose fines of up to 4% of a company’s annual turnover and issue reprimands, not to mention potential reputational damage. 

Understanding Privacy Policies and Compliance

A properly drafted privacy policy will show that a company has met its legal obligations under Articles 13 and 14 of the UK GDPR. These provisions create obligations on businesses who collect or use personal data to provide the people whose personal data they are holding (known as data subjects) with specific information about what data is being collected, why it’s being collected, and how long it’s kept on file (amongst other important information).

Key Issues with Privacy Policy Templates and Generators

Templates and tools, particularly the ICO’s privacy policy generator, are valuable to smaller companies, as they can provide explanations about why certain information is needed and guide businesses to take steps to make sure they are complying with their obligations. However, templates and policy generators should be used with caution. Some of the key issues with using these tools are:

Templates may not be tailored specifically to your business, your business processes or your industry, which could lead to having a policy that gives data subjects incorrect information about how you use their personal data – this would be a breach of the UK GDPR. Whilst policy generators may be slightly more tailored to your business, for example if they include a series of questions which try to assess what information you gather, these should be reviewed carefully to ensure you only refer to information that applies to your business.

Templates and generators are tools that take into account the information you provide. A generator may struggle to produce accurate clauses where a more nuanced approach is required. For example, where you need to give your justification for which legal basis you are relying on or when setting out your retention policies. More specifically:

Legal Basis

When collecting, storing or otherwise using personal data, you need a legal basis for that use. There are six legal bases provided for in the UK GDPR, the most commonly used being consent, fulfilling legal obligations, performing a contract, or legitimate interests. With legitimate interests, companies can use personal data if they have a reasonable requirement to do so, but there is an obligation on the company to balance their requirements against the data subjects’ rights and freedoms, such as their right to privacy. Businesses must inform their data subjects what their legitimate interest is.

Retention Policies

Under the UK GDPR, there are no specified timescales on how long you can keep personal data on file, but businesses shouldn’t keep personal data on file for any longer than required. There are some legal obligations to hold personal data (for example, employment information) for set periods of time, depending on what laws apply in that area, and in some areas, for example, if you are processing an order for goods or services, you may wish to keep hold of order information after the order has been fulfilled, just in case there are any claims that arise after the fact. 

A template privacy policy may suggest wording for a retention policy, but some (for example, the ICO tool) will leave this area blank for you to complete if you don’t have one in place already. It’s important that the retention policy accurately reflects your business practices.

Templates and generators may come with disclaimers to say that businesses are still responsible for ensuring they understand their greater responsibilities when it comes to personal data and the UK GDPR. As they are not providing legal advice, there is no guarantee that they are compliant with the UK GDPR. If they aren’t compliant and anything goes wrong with those policies, it would be the business using the template or generator that is liable for the non-compliance. It would be unlikely that compensation could be claimed from the person who created the template/generator tool.

Summary

Overall, templates can be a great starting point for small businesses, but businesses shouldn’t over-rely on a template or generator. To ensure you comply with all your obligations under the Data Protection Act 2018 and the UK GDPR, the safest course of action is to have a solicitor draft or review your privacy policy. Investing in expert advice is well worth the cost for peace of mind and to avoid the repercussions of non-compliance.