- puts your customers at ease by helping your customers understand how you use data when they access your product(s) and/or service(s); and
- sets standards for how your company makes decisions about/processes data.
In the UK, companies must process personal data in compliance with privacy laws, including the UK GDPR. Almost all companies will process personal data as they will collect details such as names, addresses and contact details of customers, service providers or visitors to their website. Some examples of how you might be processing personal data as a SMB include:
- collection of personal data from prospective customers through your website, social media platforms, and other forms of communication;
- storage of customer contact details in any CRM systems; and
- login details for users of your app or website.
There are large potential fines for failing to comply with the UK GDPR - the most serious violations can results in fines of up to 4% of global turnover of the preceding financial year or £17.5 million (whichever is greater) and other violations can result in fines of up to 2% of annual worldwide turnover of the preceding financial year or £8.75 million (whichever is greater).
The policy should be drafted in plain English. Avoid legal jargon altogether and write text which is concise, accessible, and transparent. Companies and their customers mutually benefit from being on the same page in relation to data processing, as this means dealing with fewer questions about how rights can be exercised by individuals in relation to their data. The policy also serves as guidance for practical steps taken in relation to how your company handles data. For example, the policy can guide how data access requests ought to be handled. You should clearly disclose your company-specific data collection, storage and processing practices.
Access all the templates you need with PocketLaw. Save time and reduce risk by leveraging our extensive library of 130+ templates, which are developed by qualified lawyers.