01271 595001

Privacy Policies

Providing individuals with information about how you or your organisation propose to use the information they provide has been a requirement of the data protection & privacy legislation for many years.

However a recent initiative by the Global Privacy Enforcement Network (GPEN) indicates that many privacy policies, whether from an ‘off the shelf’ template or individually crafted are neither necessarily adequate nor compliant.


The international initiative included 24 data protection regulators from around the world and was led by the UK regulator, the Information Commissioners Office (ICO).

Fuller findings can be found on the ICO website, but here are the main bullet points of the findings in so far as the 30 UK websites checked are concerned:-

  • 86% of sites failed to specify how and where information would be stored.
    • A requirement under the Data Protection Act 1998 (DPA) Principle 8 and the new General Data Protection Regulations (GDPR), Chapter V.
  • 86% did not explain adequately whether they shared data with third parties and who that data would be shared with.
    • Again, a requirement under both sets of legislation above
  • 79% provided no information to users about how they could request deletion or removal of their personal data.
    • DPA: Various rights combined under Principle 6, clarified and enhanced with ..
    • GDPR: Right to Erasure, (the right to be forgotten)


What Information must be supplied?

Well, before the what, it’s important to understand how.

The process is usually via a privacy policy, privacy notice or as the GDPR states in European language a Fair Processing Notice (FPN), but no matter which title you give your document, the information

Must be:-

  • Concise, transparent, intelligible and easily accessible
  • written in clear and plain language, especially if addressed to a child
  • free of charge

Source : ICO


This in itself is another right under the GDPR, an individual’s right to be informed.

The link above provides the exact information that must be supplied, so we won’t duplicate it here.

eNaycH believes that perhaps the most important facet to the requirement is that should your privacy policy/notice or FPN  fail to disclose all the relevant information to individuals before they ‘hand over’ their personal data, they have been deprived of one of the most basic rights; control of their personal data and choice.

It would also leave the organisation potentially in breach of the GDPR in that personal data shall only be processed lawfully, fairly and in a transparent way, (Article 5, (a)).

Please take the findings from the research initiative as an opportunity, perhaps of a life time, to review how you or your organisation process personal data.  It may seem a daunting task, but it will generally only have to be work that needs to be done once.  But remember that the introduction of any new technology or ways of processing personal data will require a review (an ideal opportunity to implement privacy impact assessments) and possibly new consent gained from individuals.



Password Reset
Please enter your e-mail address. You will receive a new password via e-mail.