GDPR – build your own privacy policy

As part of your journey to GDPR compliance, you’ll need to get your privacy notice updated. Thankfully, this isn’t a complex process and we have put together a guide to help you do this.

The ICO’s own guidance on privacy notices emphasises how your privacy notice should be easy to understand. It doesn’t have to be too long either – here’s our privacy policy page.

Treat your privacy policy as a marketing exercise. It’s there to communicate to your customers that you are trustworthy and that you respect them. Show off how you keep their information secure.

You’ll need to think about:

  1. What information you collect.
  2. Why you do this – what you use it for.

How to use this guide

We’ll run through all some of the most common parts of a GDPR compliant privacy notice. Most are relevant to every organisation, but others (such as guest wifi and ticketing data) may not apply to you).

We’ll provide a real-life example for each one so that it can give you an idea.


The Component Parts

Who we are

After you introduce yourself (your company name), let the reader know how seriously you take their privacy and why you’ve put this privacy notice in place.

Make this friendly and welcoming. The ICO says that you should “align to your house style”. So, use the same writing style as you do in your other copy. A great example of this is innocent drinks’ privacy notice.

“At innocent, we are committed to maintaining the trust and confidence of our visitors to our web site. In particular, we want you to know that innocent is not in the business of selling, renting or trading email lists with other companies and businesses for marketing purposes. We just don’t do that sort of thing. But just in case you don’t believe us, in this Privacy Policy, we’ve provided lots of detailed information on when and why we collect your personal information, how we use it, the limited conditions under which we may disclose it to others and how we keep it secure. Grab a cuppa and read on.”

Types of data we collect

Website Cookies

Here’s Marks and Spencer’s cookie information in their privacy policy.

Google Analytics

If you use Google Analytics to monitor your website, you can either include this in your cookies section or add a specific google analytics header to your privacy policy. Here’s how we explained google analytics on our website:

“When someone visits our website (or we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. View the Google Privacy Policy here.”


If you offer guest wifi in your venue, add in how you monitor this and take care of the data. Here’s how Odeon cinemas worded this:

When you use ODEON Wi-Fi we may collect data about:

  1. a) your device;
  2. b) the volume of data which you use;
  3. c) the websites and applications which you access; and
  4. d) your usage by access time, frequency and location.  

Mailing Lists

If you collect information from people when they sign up for your mailing list, you’ll need to tell them what information you gather, why you need it, and what you do with it. If you use a bulk email provider such as MailChimp, let your audience know and direct them to their privacy policy.

Here’s how we let visitors to our website know about our email mailing list:

As part of the registration process for our monthly e-newsletter, we collect personal information. We use that information for a couple of reasons: to tell you about stuff you’ve asked us to tell you about; to contact you if we need to obtain or provide additional information; to check our records are right and to check every now and then that you’re happy and satisfied. We don’t rent or trade email lists with other organisations and businesses.

We use a third-party provider, MailChimp, to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice. You can unsubscribe to general mailings at any time of the day or night by clicking the unsubscribe link at the bottom of any of our emails or by emailing our data protection officer

Ticketing Data

When a customer buys tickets or products from you – what information do you collect, why do you collect it, what do you do with it, and where is it stored?

Your newsletter subscription data may also be routed through your box office or CRM system, so be clear about that too.

Here’s how the Abbey Theatre lets its customers know where they can buy tickets without giving their personal data:

“When you purchase a ticket (or tickets), merchandise, membership or gift voucher(s) through the Abbey Theatre Box Office or online your name, address data, email and contact number will be stored in our Box Office system, Tessitura. You may, of course, purchase a ticket (or tickets) in person without supplying the aforementioned personal data. Please be assured that we do not share your personal details with any other company without your consent..”

Third Parties

Say who you share information with, in what form, and for what reason. For example, you may send anonymised box office information to us in order to improve your audience experience. You might also share anonymised ticketing data with touring companies who visit your venue.

Here’s how the Southbank Centre word their third parties section:

 “We may share anonymised personal information with other organisations, particularly Arts Council England, who use this to analyse our audience development programmes, ticket sales and self-generated funding to understand the impact of the public investment made in Southbank Centre. 

Many of the events at Southbank Centre are presented in partnership with other companies such as with our Resident Orchestras and other artistic organisations and promoters.  We will let them know about your booking and share your name and contact details with them but they can’t contact you unless you select either the Email or Post option under ‘I would like to hear about events, news and offers from the artists or companies presenting the events I’ve booked’ as part of your booking online, at the Ticket Office or over the phone.  We will not share sensitive information or your payment details.”

Access to your personal information

Under GDPR, the data subject has the right to access and amend any of their personal data that you hold. Make it easy for them by including a name and contact email.

You are entitled to view, amend, or delete the personal information that we hold. Email your request to our data protection officer [NAME} at [CONTACT DETAILS]

Changes to this Privacy Notice

You need to let your audience know when you will be reviewing your privacy policy and when it was reviewed.

What Next?

Once you’ve got your own policy written up, make sure it is easy to find on your website. You can also link to it when you’re prompting people to sign up for a newsletter, or when they are entering booking information. Again, it’s a way to show you value your customers’ privacy, so don’t be afraid to highlight it when you see an opportunity.

Related posts