As part of your journey to GDPR Policy Template UK you'll need to update your privacy notice (or create one if you don't have a policy already).

Your privacy notice usually sits on your website, and you can link to it when you're asking people to subscribe to your newsletter or enter their booking details.

The Information Commissioners have issued some of their harshest penalties for non-notification. Your privacy notice is a way for you to inform your audience on what data you collect, what you do with it, and why.

It's a chance for you to build that relationship of trust with your audiences, and present yourself as an open and honest organisation. These are qualities that set the arts, culture, and heritage sector apart from the commercial sphere - so we should be emphasising them as much as we can.

Best of all - this is an easy win. It doesn't take long to create, and it doesn't have to be a wordy or complex document. In fact, the ICO encourages you to keep it simple.

Download this free toolkit to create your own GDPR compliant privacy notice. We’ll provide a real-life example for each section, along with a text box for you to fill in the information security policy template uk about your own organisation.

Get Personalised GDPR Support

If you have a question that isn't answered above, you can leave us a comment below and we'll do our best to answer. We’re also offering bespoke GDPR workshops for cultural organisations for £150 + VAT, so please drop Claire Rose an email if you're interested.

Sample IT policies, disclaimers and notices

Sample privacy notice

Guide

A privacy notice (also sometimes referred to as a privacy policy) is a key document which you must have if you collect, use or process personal data.

You must provide this document:

• to inform people how you collect, process and use their personal data

• typically at the point of data collection

• in plain and clear language, accessible format, and free of charge

The law sets out the specific information you must supply to individuals and when.

How to write a compliant privacy notice?

If you collect personal data from the individuals themselves, you must include the following in your privacy notice at the time you obtain the data:

• the data controller's identity and contact details

• details of your data protection officer (if you are required to have one)

• the purpose and legal basis for data processing

• where the legal basis for processing is legitimate interest, what that interest is

• where the legal basis is cookie consent, the right to withdraw consent at any time

• the existence of individual's rights (known as data subject rights)

• with whom you will share personal data (named parties or categories of recipients)

• whether you plan to transfer data to third countries and what safeguards will exist

• how long you will keep the personal data for (or details of your retention criteria)

• the right to lodge a complaint with the Information Commissioner's Office

• if there is a statutory or contractual requirement for the data subject to provide personal data, and if so, the consequences of failing to provide data

• if you intend to carry out any automated decision making (eg profiling), how you will make these decisions, their significance and possible consequences

In addition to the above, if you collect data from a third party (ie from a source other than the data subject), you must also include in the privacy notice:

• categories of personal data concerned

• the source of data (and whether it came from publicly available sources

Your privacy notice will usually sit on your website. You should link to it when asking people to eg subscribe to your newsletter, register with your service or provide you any personal information in any other way.

Example format for a data protection-compliant privacy notice

A template document is unlikely to describe your business' exact practices around privacy and data processing. However, you can use our data protection policy template document below to structure your privacy information in a way that addresses the key data protection requirements.

It is essential that you customise the document to fit the specific circumstances of your business and the type of data processing that you do.

Download sample privacy notice document (DOC, 19K).

Important

Please note that this sample privacy notice is intended for business use only. It excludes certain provisions of the data protection law relating to public authorities and other official bodies.

In addition, we reserve the right to review and update this sample document at any point to reflect emerging best practice and case law around data protection.

A privacy notice (also sometimes referred to as a privacy policy) is a key document which you must have if you collect, use or process personal data.

You must provide this document:

• to inform people how you collect, process and use their personal data

• typically at the point of data collection

• in plain and clear language, accessible format, and free of charge