A good Privacy Policy starts long before you write a single sentence. It starts with your Record of Processing Activity (ROPA). You can read all about ROPAs in our previous post.
Your ROPA is your data map. It shows every processing activity across your organisation. When you write your Privacy Policy, you cross check each activity against your ROPA to make sure you’re being transparent and that nothing has been forgotten.
What is a Privacy Policy?
Your organisation’s Privacy Policy should explain how you collect, use, share, store and protect personal data. It should include:
- Who you are and how to contact you
- How you collect data and who you receive data from
- What data you collect
- How you use data
- Who you share data with
- How long you keep data
- How you store and protect data
- What rights people have
- How they can complain to you or the ICO if they are unhappy
- When the Privacy Policy was last updated
It is a live document and you need to keep a record of any changes you make to it. Under your transparency obligations, you should also inform people when you update your privacy policy and let them know what’s changed.
External vs Internal Privacy Policies
An External Privacy Policy applies to everyone outside of your organisation. This can include visitors, website users, customers, donors, participants, community partners and other stakeholders, and applicants (job, paid for opportunity, volunteer). In short, anyone you’re engaging with that isn’t staff. This policy should be easily accessible via your website.
An Internal Privacy Policy applies to everyone inside your organisation. This can include staff, freelancers, board members, and volunteers. This policy explains how you use HR, Payroll, and Safeguarding data and is typically shared during the onboarding process. It should be easily accessible to staff.
These two groups have different relationships with you. They give you different data. You use that data for different reasons. So they need different explanations.
Taking a Layered Approach
A layered privacy policy supports what the GDPR expects: clear, accessible information that people can actually use. Instead of one long, overwhelming document, you break it into sections that speak directly to the groups you work with.
Which groups you include will depend on your organisation’s context, and the starting point is always understanding what you process and why. Your ROPA helps map this out and ensures each layer reflects real‑world practice rather than guesswork.
External Privacy Policy (by group example)
- Customers, Members, Donors
- Participants and Young People
- Website users
- Community Partners and Other Stakeholders
- Job, Paid for Opportunity, or Volunteer Applicants
- Suppliers
Internal Privacy Policy (by group example)
- Staff (full-time, part-time, and casual)
- Freelancers
- Volunteers
- Board and Committee Members
How your ROPA Shapes Your Privacy Policy
Your ROPA is your checklist. If it’s in your ROPA, it should be in your Privacy Policy. If it’s not in your ROPA, you need to ask why you’re doing it at all. This is how you stay lawful, fair, and transparent. As you go through each processing activity, ask yourself…
- Have we explained this in the Privacy Policy?
- Have we been clear about the purpose?
- Have we stated the lawful basis?
- Have we listed the recipients?
- Have we included retention periods?
- Have we covered international transfers?
- Have we explained people’s rights?
Risks of an Incomplete or Inaccurate Privacy Policy
- Confusing your users
- Losing trust
- Missing key legal requirements
- Making it harder to respond to rights requests
- Creating inconsistencies across teams
- Failing to demonstrate compliance
And if the ICO ever come knocking, your ROPA and Privacy Policy need to match.
Final Though
A Privacy Policy isn’t a box ticking exercise, it’s a live document that allows you to stay on top of your processing activities and communicate them transparently to stakeholders.
Get in Touch
If you’re a cultural organisation looking for tailored support, plain English policies, or practical training that empowers your team, we’d love to help. Get in touch for a free 30-minute consultation.