The UK GDPR encourages businesses and organisations to be transparent with individuals over the use of personal data. Articles 13 and 14 of the UK GDPR include the requirement for data controllers to provide privacy information to all data subjects (the right to be informed). As a business it’s most likely that you’ll give this information to individuals in your privacy notice (sometimes referred to as a policy or a statement).
You must supply certain relevant information about your processing activities in a concise, transparent, intelligible and easily accessible way and this must usually be done free of charge. The information your notice must contain includes but is not limited to:
- Your identity and contact details
- The purpose for which you are processing their data
- Your legal basis for the processing of that data
- Who you share the personal data with
- Transfers outside UK (if any) and how data is protected
- The retention period for which you will hold data
- An explanation of data subject’s legal rights
You should always use clear and plain language, particularly if addressed to a child and this must be done free of charge. There are precedent privacy notices, together with extensive guidance as to your obligations under UK GDPR on the FSB Hub.
In addition to the FSB resources, small businesses and organisations now have access to a privacy notice generator tool created by the Information Commissioner’s Office (ICO) to help you create bespoke privacy notices for your staff, external website visitors and suppliers. FSB supported the ICO in the development of this tool to ensure it reflected the needs of small businesses.
This tool can create tailored privacy notices relevant to small organisations in a variety of sectors of the economy. There are sections of the tool specific to the finance, insurance and legal sectors; education and childcare; health and social care and charity and voluntary sectors. There are also sections designed for other small organisations in sectors such as retail and manufacturing. It has been specifically designed for sole traders and start-ups, as well as small and medium-sized businesses and charities to help ease the cost and burden to them of complying with the UK GDPR's fair processing, transparency and accountability requirements, and the right of data subjects to be provided with detailed information about the controller's personal data collection and data processing activities.