Skip to content

Getting GDPR Ready – The Privacy Policy

Getting GDPR Ready – The Privacy Policy

Written by James Osborne

Last edited May 5, 2023

Getting GDPR Ready – The Privacy Policy

There’s a few things we need to get ready for the incoming General Data Protection Regulation, one of those is a privacy policy. I look into what a the ICO believes a good Privacy policy may look like so you can build yours.GDPR is looming on the horizon, and we’ve seen countless articles from hundreds of different experts helping you get ready and telling exactly what it is. In fact, we’ve got a GDPR countdown page dedicated to the coming regulation.

So why am I writing this article? Well, I’m always keen to get to the bottom of a few answers, as there is a lot of confusion about GDPR, especially some of the finer nuances in it, so today we’re going to look into the law behind the privacy policy. As, I’ve had a few questions about what we need to do (and what you shouldn’t do) so we don’t get stung when the deadlines comes around.

I’ve spent some time reading through a variety of long winded and articles, putting in that time for you (don’t mention it) to get to the bottom of the privacy policy.

Point number 1: Simplicity is key

Luckily, a good privacy policy in the eyes of the GDPR henchmen is one of simplicity. I’ve never read a massive online privacy policy, I’ve just accepted it and I’m sure many of you are the same, with companies like Apple and Facebook producing policies that are hundreds of pages long, it’s GDPR’s job to try and condense that and make it simple for the user.

You’ll see below that as long you’re stating what data you’ll be taking, how you’re going to use it and what the person will expect to receive, as well as an option to consent then you’re doing it right.

Point number 2: Transparency is essential

The ICO themselves have this to say: Being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect. 

So, what does this mean? Well, your privacy policy needs to state what you’ll be doing with the individuals data. There’s a few things you’ll need to consider when you write out your privacy policy:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

It’s also important to state where the source of the data may be coming from. Are you collecting your data from sources; which are a little unconventional like social media, ad platforms, martech & rectech? The ICO lists these three sources:

  • observed, by tracking people online or by smart devices;
  • derived from combining other data sets; or
  • inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people for example in terms of their credit risk, state of health or suitability for a job.

Point number 3: Don’t force consent

One thing that’s important to remember is that you can’t force the consent of the individual. This means things like pre-ticked boxes or not consent box at all. The ICO explain this as: “Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.”

“You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.”

The Privacy Notice Checklist

The ICO have also provided a handy checklist for your privacy notice. It’s split into 4 parts, the What, Where, When, How? Make sure you give this a good go over when you’re writing your privacy policy to make sure you can confidently check these points.


Decide what to include by working out:

  • what personal information you hold;
  • what you do with it and what you are planning to do with it;
  • what you actually need;
  • whether you are collecting the information you need;
  • whether you are creating new personal information; and
  • whether there are multiple data controllers.

If you are relying on consent, you should:

  • display it clearly and prominently;
  • ask individuals to positively opt-in;
  • give them sufficient information to make a choice;
  • explain the different ways you will use their information, if you have more than one purpose;
  • provide a clear and simple way for them to indicate they agree to different types of processing; and
  • include a separate unticked opt-in box for direct marketing.

Also consider including:

  • the links between different types of data you collect and the purposes that you use each type of data for;
  • the consequences of not providing information;
  • what you are doing to ensure the security of personal information;
  • information about people’s right of access to their data; and
  • what you will not do with their data.


Give privacy information:

  • orally;
  • in writing;
  • through signage; and
  • electronically.

Consider a layered approach:

  • just-in-time notices;
  • video;
  • icons and symbols; and
  • privacy dashboards.


Actively give privacy information if:

  • you are collecting sensitive information;
  • the intended use of the information is likely to be unexpected or objectionable;
  • providing personal information, or failing to do so, will have a significant effect on the individual; or
  • the information will be shared with another organisation in a way that individuals would not expect.


Write and present it effectively:

  • use clear, straightforward language;
  • adopt a style that your audience will understand;
  • don’t assume that everybody has the same level of understanding as you;
  • avoid confusing terminology or legalistic language;
  • draw on research about features of effective privacy notices;
  • align to your house style;
  • align with your organisation’s values and principles;
  • be truthful. Don’t offer people choices that are counter-intuitive or misleading;
  • follow any specific sectoral rules;
  • ensure all your notices are consistent and can be updated rapidly; and
  • provide separate notices for different audiences.


What could a privacy policy look like?

This is one I’ve been playing with, which I believe we’ll be using for our Inbound enquiry forms.

Here at The Recruitment Network we take your privacy seriously and will only use your personal information to provide the products and services you have requested from us.However, from time to time we would like to contact you with details of other products that we may offer, such as marketing collateral, value adding articles, eBooks and whitepapers, software, competitions, discounts and membership opportunities, which we provide. This will be through email. We promise to only limit the amount of emails we send you to be limited to no more than 5 a week.

If we deem your interest in our products and services, or your suitability to our services we may contact you to discuss the opportunity of offering some of our premium services. This will be through either email or telephone.

If you consent with these terms, then please tick the box below to confirm.

Share :