Key changes to your website privacy policy

Ben Rose
Chief Underwriting Officer
13 October 2016
2 minute read

On 7 October 2016, the Information Commissioner's Office (ICO) released a new code of practice (the Code) for privacy notices. The guidelines aim to improve transparency and fairness for individuals when organisations are collecting and using their personal data.

The Code highlights five key areas to consider when drafting new, or amending existing, privacy policies:


Rather than using a privacy policy template, the ICO recommends developing bespoke wording relevant to both the data being collected and the intended audience. The Code encourages you to map out how the information is processed in your organisation, so as to provide sufficient detail to individuals on how their data will be used. The ICO believes that the process of creating a tailored policy can in itself lead to improvements in the way personal data is used, while encouraging businesses to align their privacy policies with their house style and approach.

The Code includes further guidance on obtaining and recording consent from individuals (where this is relevant) and some examples of good practice, including some standard wording for seeking consent for direct marketing, which has helpfully been tested on members of the public.


Individuals should be given more control over the management of their personal data and how it will be used. The ICO advocates using a privacy dashboard, allowing users to indicate their agreement to particular types of data processing or sharing, and change these settings at any time.


How and when a business communicates its privacy notice is a core part of The Code. The ICO encourages businesses to be innovative and avoid using a single document when other methods of communication would be more effective. Clear and simple language should also be used whenever possible, although The Code acknowledges this isn't always easy when complex technologies and processes are involved.


Before rolling out a new privacy policy, you should also seek the input of the intended audience to check that it's doing its job effectively. This helps you test: (i) whether individuals understand the policy; (ii) if it is clear and appropriate to the audience; and (iii) whether it contains any errors.


The Code also includes a privacy notice checklist with key points to help you draft these effectively.

Following this guidance will help you comply with the General Data Protection Regulation (GDPR), although bear in mind you also need to include the further information listed (in the GDPR section of the code/Articles 13 and 14 of the GDPR) to fully comply. If you're wondering how this will be affected by Brexit, the ICO has said it is extremely likely that the GDPR will start to apply before Britain leaves the European Union and, in any case, you will need to comply to do business in the EU.

The ICO can currently award fines of up to £500,000 for failing to prevent a breach of the Data Protection Act 1998 (DPA) and under the new GDPR – coming into force in 2018 - maximum fines will increase to €20m, or 4% of a company's global turnover.

Superscript provides insurance protection for defence costs and expenses as a result of a civil regulatory action, such as breach the DPA or GDPR, as well as the actual regulatory award, civil penalty or fine payable, to the extent that these are insurable by law.

Need further information? Then contact Edward Ventham.

Share this article

We've made buying insurance simple. Get started.

Related posts