So, getting straight to the point, the short answer is - probably yes, but it depends. Ok that may not be very helpful, so let's look at some details, from the basics up.
TABLE OF CONTENTS
According to GDPR (General Data Protection Regulations) if a website collects personal data from it's visitors, website owners are legally obliged to declare how they treat that data if either or both of these conditions are true:
- if the website owners or website visitors are in the UK or EU
- if the website owners or website visitors are nationals of the UK or EU
CHECKING IT TWICE
Most of the time it will be obvious if you are collecting people's personal data on your website – for example if you have a contact form on your website or an opt-in form for people to sign up to receive a newsletter then it's fairly obvious that you're collecting personal data. But there are many instances when things can be overlooked as they are not so obvious, for example -
Do you have analytics tools hooked up to your website - like Google Analytics? Again you'll be collecting some form of data on visitors. It might not be the obvious name and contact detail type data and might be just an IP address that's collected by the software, but privacy policies are required even if you're collecting non-personally identifiable, pooled data.
Considered to be one of the most comprehensive policy generators, it claims to auto update policies in line with changes in GDPR and CalOPPA laws and policies can include over 650 clauses. Iubenda works on a monthly subscription - there's a free plan and a number of paid options. Alternatively, if you're lucky enough to catch a deal you can buy a lifetime licence through Appsumo at a fraction of the cost.
Enter general information about your company, then more details about how you operate, Free privacy policies are available for individuals but businesses are charged. There is a one time fee per policy with extra charges for extra clauses of cover.
Privacy regulations are lengthy and complex, and handling of personal data is strictly regulated, including the process required if there is a data breach, notifying authorities and notifying those whose data might have become vulnerable. As a website owner you may be a data controller and a data processor so it's best to familiarise yourself with these terms and responsibilities. You'll find the full regulations on the government website Guide to the General Data Protection Regulation and more details at the Information Commissioner's Office.
And a final disclaimer - the information in this article is not provided by legal experts. Always check with your legal advisor and the relevant authorities for current regulations to ensure you are compliant with all requirements.