What is a Privacy Policy and Why Do I Need One?

The law surrounding data and privacy can be confusing at the best of times. In this article, Trainee Solicitor Nick Goodchild looks at the basics of what a Privacy Policy is for, and why your business more than likely needs one.

It starts with GDPR

The General Data Protection Regulation (GDPR) 2016 is an EU regulation which was enacted into UK law through the Data Protection Act (DPA) 2018. Before Brexit the GDPR had direct effect in the UK, but since Brexit the DPA has effectively imported it into UK domestic law, the so called ‘UK GDPR’. (For brevity I will refer to both UK and EU versions as ‘GDPR’ unless otherwise stated.)

GDPR gives individuals (known as ‘data subjects’) a number of rights over their data and what is done with it by organisations. Your Privacy Policy is your organisation’s way of complying with the requirement of Transparency over how you handle your customers’ data, and showing that you are handling it in line with GDPR’s requirements.

What does your Privacy Policy do?

A properly drafted privacy policy will explain the following:

  • Who is collecting and ‘controlling’ the data, and give their contact details.
  • The intended purposes and legal basis for the processing of the data, such as the customer’s consent.
  • What categories of personal data will be collected and processed.
  • The fact that you intend to transfer the data outside of the country, who you are sharing it with and the legal basis for doing this.
  • How long you will store the customer data.
  • The individual’s rights over their data, including the right to withdraw their consent.

All of these are requirements under GDPR, and it should all be explained accurately and in plain English so that customers can understand what is happening to their data.

It should go without saying that everything stated in your Privacy Policy should reflect the actual practices of your business, and should be kept up to date as your internal practices change.

The point about transferring customer data is crucial for travel businesses which will very often be sending personal data to suppliers abroad. This is known as making a ‘restricted transfer’ and it is important to ensure that you are doing it with the right authorisations and safeguards. See our library of articles, including this one, for more on the requirements for data transfers.

Why do I need a Privacy Policy?

Every organisation that handles data about identifiable individuals, such as their customers, needs to show what it is doing to comply with GDPR, and make its policy available to customers and the UK’s independent body set up to uphold information rights, the Information Commissioner’s Office (ICO). Travel businesses typically handle a lot of customer data, from names and addresses through to more sensitive data like passport information, and the protected ‘Special Categories’ of data like dietary requirements, race and ethnicity, and health. Travel businesses, by their nature, are likely to be sending this information abroad in order to make reservations, so it is all the more important to ensure that you are handling data correctly, and also have the right agreements in place for international data transfers.

It is also worth mentioning that organisations and individuals which process personal data (with certain exemptions) need to register with the ICO and pay an annual fee. See the ICO website to check whether you need to pay a fee and how to register


or any of the Commercial Team on

01132 580033

if you have any questions or need advice on handling data in your business.

This article was originally published on: 7 August 2023

Latest news

Climate Change & Travel Claims: Part 2 – Droughts!

This is the second in a series of articles exploring how climate change is likely to impact the travel industry…

Find out more

Data Breach and Cookie Monster claims

This article on Cookie Policies is Part 2 of a series of articles on all things tech related.  Nick Goodchild…

Find out more

Package Travel Consultation Deep Dives #2: Potential Changes to the definition of ‘Other Tourist Services’

In this, the second article in our deeper dive into various aspects of the proposed amendments to the UK’s package…

Find out more