In Part 1 in our 2 part series on privacy policies, we discussed how to write a privacy policy to be used internally by employees. In Part 2, we will explore how to formulate a privacy policy that can be used by customers and suppliers.

Why is an External Privacy Policy Needed?

You may be wondering why an external privacy policy is even necessary, especially given most customers won’t even read it. 

Firstly, privacy policy is often required by law if you collect personal data from your clients. Some of these regulations around the world include:

Secondly, a company that proudly displays their privacy policy will promote an environment of transparency and honesty between the company and its customers. This will build consumer trust and confidence leading to a positive brand image. 

Finally, a company can use their privacy policy to protect itself against potential disputes about the way they collect information from their customers. 

What to Include

Before any writing is put on paper, you should make sure that you have a clear overview of what personal information is held by your company, and your personal information handling procedures. Some of this information you may already have, but for others you may need to investigate or conduct audits for.

In your privacy policy, you should first describe your company’s main functions and activities, and identify those that involve personal information handling. Activities may include:

  • Providing specified services
  • Conducting publicity campaigns
  • Handling complaints
  • Running a website
  • Sending out a newsletter

For each activity you should also describe:

  • The personal information that you collect and hold, and how you collect and hold it.
  • The reasons or purposes for which you will collect, hold, use and disclose that personal information.
  • Whether you disclose personal information to overseas entities.

The types of information your company may collect include:

  • Names
  • Addresses
  • Phone numbers
  • Email addresses
  • IP addresses
  • Access dates and times

The means by which information is collected include:

  • Cookies
  • Weblogs
  • Surveys
  • Web forms
  • Registration for an event or course
  • Newsletter sign-up
  • Placing an order

In terms of personal information handling procedures, there are a few items to be on top of:

  • Specific approaches, principles or commitments your company has decided to adopt for handling specific personal information. An example of this is:
    • “In relation to X process, the company will link personal information across business processes, or never do so, or only do so if the individual would expect it, or only with the individual’s consent, or only if not sensitive information, or only for X purpose.”
  • Processes for identifying, assessing and managing privacy and security risk, as well as developing and monitoring controls for those risks
  • Approaches to identifying and handling personal information your company no longer needs
  • Processes for providing access to and correction of personal information
  • Complaints handling procedures
  • Policies for managing contractors when personal information may be disclosed.
privacy policy
Web Contact Us Icons Cubes


Below is an example structure that can be used to set out the information contained within the privacy policy in a layered approach. Headings should be used to clearly separate each section of this structure. A table of contents may also be useful in helping your customers navigate the privacy policy.

Scope: Describe what the policy applies to

Collection of personal information: Provide key information on what personal information is collected and why.

Disclosure: Describe the key disclosures and conditions around those disclosures.

Rights and choices: Describe any rights and choices that individuals have, including the right to request access and correct personal information held about them.

How to make a complaint: Describe how to make a complaint about privacy and what to do if they are not satisfied with the outcome.

Contact details: Include at least a phone number and email address that won’t change with personnel. This will add another level of transparency to your privacy policy.

Other Considerations

Regularly Review and Update Your Privacy Policy

You should regularly review and update your privacy policy to reflect changes to your current personal information handling practices. Your policies surrounding changes to the privacy policy should even be incorporated within the privacy policy itself. You should also notify your current clients of any changes at the time the changes occur via an appropriate communication level, such as email or your website.

Make Your Privacy Policy Easily Available

There’s no point in having a privacy policy that promotes transparency if no one is able to see it or know where to find it. 

Your privacy policy should be free of charge and in an appropriate form. This means that if your company has a website, your privacy policy should be easily accessible from it. It is common to have a privacy policy in clear, legible text within the footer of a website, and appear on every page of your site. 


Privacy policies are a great way of showing off your transparency regarding the collection and use of personal information to current and prospective clients. The key information that should be included in this privacy policy are what information is being collected, how it is being collected, and why it is being collected. Your privacy policy should be clearly structured, regularly updated, and made easily available so that clients feel more safe doing business with your company.