Under data protection law, every organisation that holds people’s information needs to explain why it holds it and what it does with it. This is so their customers, suppliers, staff and volunteers know what will happen to their personal information.

Organisations can provide this information through a privacy policy or privacy notice, which is displayed on its website or included in other communications, to ensure they’re compliant.

The Information Commissioner's Office (ICO)'s new privacy notice generator can create tailored privacy notices relevant to small organisations in a variety of sectors of the economy. There are sections of the tool specific to the finance, insurance and legal the-ico-has-launched-an-easy-to-use-tool-to-help-small-organisations-and-sole-traders-create-a-besposectors; education and childcare; health and social care and charity and voluntary sectors. There are also sections designed for other small organisations in sectors such as retail and manufacturing.

The tool offers two different types of privacy notice:

• One for customer and supplier information, which organisations can display on their website or external communications.

• Another for staff and volunteer information, for inclusion in welcome packs, policy libraries or other internal channels accessible to staff and volunteers.

You can find the privacy notice generator on the ICO’s website for small organisations here.

The ICO cautions that every data controller should regularly review their privacy notice to ensure it remains accurate and up to date. It recommends that privacy notices be reviewed at least every 12 months, or sooner if significant changes are made.

The privacy notice generator does not cover the use of cookies. The ICO's cookies guidance is available here