What is a Privacy Policy and Why Do I Need One?

The law surrounding data and privacy can be confusing at the best of times. In this article, Trainee Solicitor Nick Goodchild looks at the basics of what a Privacy Policy is for, and why your business more than likely needs one.

It starts with GDPR

The General Data Protection Regulation (GDPR) 2016 is an EU regulation which was enacted into UK law through the Data Protection Act (DPA) 2018. Before Brexit the GDPR had direct effect in the UK, but since Brexit the DPA has effectively imported it into UK domestic law, the so called ‘UK GDPR’. (For brevity I will refer to both UK and EU versions as ‘GDPR’ unless otherwise stated.)

GDPR gives individuals (known as ‘data subjects’) a number of rights over their data and what is done with it by organisations. Your Privacy Policy is your organisation’s way of complying with the requirement of Transparency over how you handle your customers’ data, and showing that you are handling it in line with GDPR’s requirements.

What does your Privacy Policy do?

A properly drafted privacy policy will explain the following:

Who is collecting and ‘controlling’ the data, and give their contact details.
The intended purposes and legal basis for the processing of the data, such as the customer’s consent.
What categories of personal data will be collected and processed.
The fact that you intend to transfer the data outside of the country, who you are sharing it with and the legal basis for doing this.
How long you will store the customer data.
The individual’s rights over their data, including the right to withdraw their consent.

All of these are requirements under GDPR, and it should all be explained accurately and in plain English so that customers can understand what is happening to their data.

It should go without saying that everything stated in your Privacy Policy should reflect the actual practices of your business, and should be kept up to date as your internal practices change.

The point about transferring customer data is crucial for travel businesses which will very often be sending personal data to suppliers abroad. This is known as making a ‘restricted transfer’ and it is important to ensure that you are doing it with the right authorisations and safeguards. See our library of articles, including this one, for more on the requirements for data transfers.

Why do I need a Privacy Policy?

Every organisation that handles data about identifiable individuals, such as their customers, needs to show what it is doing to comply with GDPR, and make its policy available to customers and the UK’s independent body set up to uphold information rights, the Information Commissioner’s Office (ICO). Travel businesses typically handle a lot of customer data, from names and addresses through to more sensitive data like passport information, and the protected ‘Special Categories’ of data like dietary requirements, race and ethnicity, and health. Travel businesses, by their nature, are likely to be sending this information abroad in order to make reservations, so it is all the more important to ensure that you are handling data correctly, and also have the right agreements in place for international data transfers.

It is also worth mentioning that organisations and individuals which process personal data (with certain exemptions) need to register with the ICO and pay an annual fee. See the ICO website to check whether you need to pay a fee and how to register