How to write a meaningful privacy notice. Part One

By Tony Marshall

Part one of three.

If you sell products or services online you need to ensure you include a privacy notice to your website. 

A privacy notice is the outward facing information you provide to your customers. 

It should contain everything a customer needs to know in regard to how you process their data, what you do with it, who you share it with and how you keep it secure.

Not to be confused with an internal privacy policy, a notice should be short and sweet, not full of legal jargon and easy to navigate. 

A well written notice says, ‘we care’, a badly written notice says quite the opposite. 

But it needn’t be a chore, take days to create, require the intelligence of Einstein, or cost you money. 

Here is our easy to follow guide:

1.Create a title

Easy, this should simply be your company name followed by ‘privacy notice’. If your company name has a spelling variant or is pronounced in a particular way, let the customer know, for example:

vvast Limited Privacy Notice

(our friends know us as vast, pronounced vast and always spelt with a lower case v)

2.What data do you collect?

Next, tell people what data you collect such as name, address, email address. Tell people if you purchase data or gather it from public domains. Say if you collect special category or sensitive data and why. The key here is to be transparent. You can even create a table like this:

DataSupported BrandProspective Supported BrandBrand Consumers3rd Party Suppliers
Phone number
Purchase history
IP Address*
* when visiting or our supported brand websites


Inform people of their choices, such as the choice to provide data or not, to accept cookies or opt in or out of marketing. Inform people that you may only be able to provide your services, if they provide certain pieces of data. Keep it simple. Be open and honest in your communication.


Everyone has rights under the GDPR. These can be tricky to interpret if you aren’t a data protection nerd and so you may wish to copy and paste some detail from the ICO’s Individual Rights overview. Basically, you have to let people know that they have rights. It helps if you can take the time to be clear on what these are.


It is crucial that you inform people about how you keep their data secure. Now, this needs to be appropriate so don’t panic if you aren’t ISO 27001 certified or employ a team of high tech experts who monitor your systems like Fort Knox.

The more detail here, the better, but it could simply be that your security looks like one or some of the following:

  • Password policy
  • Multifactor authentication
  • Restricted access to the data
  • Cloud based security
  • Anti-virus management

If you have certifications and other such security in place mention it, but ensure the basics are there to show people you keep their data secure.

Your role

Your role is almost certainly going to be the controller, in that you will be deciding what happens to the data. In some cases, your company may be processing data on behalf of a third party and will, therefore, be a processor. In other cases, you may be processing data on behalf of the processor of other companies’ data, in which case you would be the sub processor. 

I’ve tried to keep this simple but it might sound complex. If it is confusing please do get in touch with me, Tony Marshall