Personal data is widely defined and includes any information that can be used to identify someone. This includes information that cannot be used to identify someone on its own, but can when used in combination with other information. For example, personal data includes an individual’s name, contact details, IP address and cookie identifiers.
When your business does anything with an individual’s personal data, you must be transparent with them what you are doing and why. This is a legal requirement under data protection law. It’s common practice to set this privacy information out in a policy that can be easily accessed through your website.
If you don’t comply with your data protection law obligations, which include providing privacy information to anyone whose data you process, you could face significant fines from the ICO (Information Commissioner’s Office). The ICO can fine businesses up to £17.5 million, or 4% of their global annual turnover, whichever is higher. On top of this, your business could also face reputational damage if it breaches data protection law.
You need to provide privacy information whenever your business processes an individual’s personal data. For example:
- Your business employs staff
- Your business runs an ecommerce websiteIf you run an ecommerce website, you will inevitably be processing information about your customers and other website users. This might include their names, contact details, payment information, IP addresses etc. See below for a template policy you can use on your ecommerce website.
Keeping your policy up-to-date
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.