How will the GDPR shape your privacy policy?

Posted by Fox&Bear

In this guide, we’ll cover:

  • Best practice privacy policy tips
  • Guidance on creating a GDPR compliant privacy policy
  • Advice around UX design and page layout to increase brand trust and loyalty


By now, we all know what the GDPR is bringing (come May 2018). It brings clarity and transparency to the consumer, along with more control over how their personal data is collected, stored, shared and used.

Over the past year, we’ve gone over a few of the areas that these new regulations will affect, allowing you time to review your entire marketing strategy. Next up, the privacy policy.

Collecting data is a privilege, and you should provide a detailed, transparent privacy policy written in plain English so that everyone who reads it can easily understand the processes involved when they part with their valuable data, allowing them to make a more informed decision on what they want to provide.

Privacy policies should exist if your company collects data, to set expectations to the consumer on the journey their data might take, and how it will be used. In the past, we’ve seen lengthy, jargon filled pages with no way to easily dissect the information provided.

“Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR).” – The ICO

The GDPR on privacy policies

The GDPR says that the information you provide to people about how you process their personal data must be:

  • Concise, transparent, intelligible and easily accessible;
  • Written in clear and plain language, particularly if addressed to a child; and
  • Free of charge

Keep this front of mind when writing your privacy notices and align to your house style. You want the information you provide to fit with your company ethos and your tone of voice, if you have in-house copywriters, they can help to fit the language with what your customers would expect. If you don’t have in-house copywriters, our team can help make sure your policy is on brand and shares the information needed to be GDPR compliant.

Have you considered UX?

Avoid common UX issues by making sure your privacy policy is readable and users can easily navigate themselves around and find what they’re looking for quicker. This not only makes the experience better for the end user, the clarity also increases brand trust which importantly helps to boost conversion rates.

How can you make your page clear?

As a rule of thumb, avoid clumping the lengthy information in one solid block. Instead, break sections out clearly using headers, sub headers and clever spacing to bring order and simplicity to the page. Another option is to use expandable headers which will be displayed in a simple bullet list, making scanning the page much easier for the user and allows them to find the information they need much quicker.

Further clarity for data capture forms

We’re seeing the use of just-in-time notices, these works by displaying further information when it’s relevant. These notices can really help to balance information and simplicity, whilst not overwhelming the consumer.

Round up – Our favourite UX examples

Just-in-time notifications

These notifications appear immediately when you click on selected form fields. They are great at building trust between users and uSwitch, pro actively explaining why they collect certain bits of personal data

Source: www.uswitch.com

Expandable text boxes

Marks and Spencer use expandable text boxes under each heading in their privacy policy. This makes navigation really simple and users can even rate how useful they find each section.

Source: www.marksandspencer.com

The privacy policy – what to include


Introduce your company – give clear contact details as well as stating what data privacy means to you as a company.

All companies should be ethical and reliable when it comes to data privacy and this is something you should let your customers know. We suggest including the following:

  • Short introduction
  • Business Disclaimer
  • Company name and address

Data collection

It’s best to start with a summary of what personal data is. A quick summary will do, but it all helps to get across total transparency so there is no confusion between you and your customers.

As well as summarising what personal data is, we’d recommend answering the following:

  • What data do you collect?
  • Why do you collect that specific data?
  • Where do you collect data and how?
  • How does the data help support your marketing activities?
  • Where do you keep the data you collect?
  • How do you ensure the data is kept safe?

What is personal data?

Personal data refers to data which relates to a living individual who can be identified from the data held.

Data uses

How do you use the data you collect? Describe this in detail, using clearly defined sections so readers can easily find information that is relevant for them. We’d also recommend providing a short summary if this information upon sign up.

Third-parties & software

Do you share any of the data you collect? If so, you must explicitly tell people at point of consent as consent must be given for use by all third parties. If you use a third-party service provider that won’t contact the consumer directly but will be helping you to carry out a service, you can provide additional information. This helps give complete transparency and promotes trust, but isn’t a direct requirement of the GDPR.


Describe the existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.


Include a description of how you use personal data to carry out marketing activities, as well as what information is used.

You should also provide information on how users can opt-in and opt-out of your marketing campaigns and if you use thirdparties. It’s best practice to also describe the software that you use and link to their privacy policies if necessary.

User rights

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erase
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

Make sure these are front of mind and explained throughout your privacy policy as these are some of the main updates that the GDPR will bring.

Data accuracy

Describe what measures you take to make sure all data you hold is accurate and up to date. Tell users that individuals can correct their personal information if it needs updating or is incorrect.


Inform the user on your retention period for holding their personal data, or describe the criteria used to determine the retention period.

Security and access

Highlight the steps your organisation takes to safeguard personal information in the event of a breach. What are the actions your company will take to limit risks?

Include your policy on an individual’s right to access their own personal data. Include contact details so users know who to contact and describe how the information will be provided.

Contact information

Summarise by highlighting Data Controller details and your Data Protection Officer (if applicable) along with contact details.

  • Include contact information
  • How to raise a complaint
  • When the privacy policy was last updated

Future updates

Add in a small section at the end that mentions when the policy was last updated. You can also mention that your organisation is continuously reviewing your privacy policy, and if any updates are made, users will be notified on the homepage when they next use the site.


Remember, the aim of the GDPR is to give consumers back control and to reduce risk and abuse so the more you communicate your ethical data practice in your privacy policy, the more trust you will gain from the consumer.

Privacy and data protection can be daunting. If you aren’t sure where to start or want help updating your existing policy in time for May, don’t hesitate to get in touch. Our team have some great experience writing a number of different policies and hold an IDM Award in General Data Protection Regulation so you can rest assured knowing your website is in good hands.

  • Write your privacy policy in a tone of voice that aligns with your brand
  • Be really transparent with what you include, the more detail – the better!
  • Think about usability of the page, UX design shouldn’t be an oversight
  • Don’t forget to include a company disclaimer, as well as a brief summary on the ethos around your data outlook