Back to school, back to business
Is it time to sort out your data privacy policy update? September always brings a sense of fresh starts. Now the holidays are over, many micro-business owners are catching up on admin. One of the top questions in our customer group this month has been:
“Do I need consent to update my privacy policy?”
Over the summer, we provided an updated data privacy policy template covering two important new areas:
- The right to complain (now expected by the ICO), and
- How you use AI in your business (because customers want transparency when their data is touched by new technology).
If you are a customer within your support period the revised policy and new training module are waiting for you in the KoffeeKlatch zone. If you are out of support don’t forget your returning customer Alumni code.
So how should you issue your revised privacy policy — and what happens to the old one? Let’s break it down.
Do I need consent to update a privacy policy?
In short: no.
Your privacy policy is about transparency — explaining how you handle data — not about asking for fresh permission every time you update the wording.
Consent, when relevant, attaches to a specific processing activity (for example, sending marketing emails). You don’t need to ask for it again just because you’ve published a data privacy policy update.
Which privacy policy applies to data already collected?
- The policy in force at the time of collection governs how data already in your systems should be treated.
- The updated data privacy policy applies to all data you collect from the date of change onwards.
- If your new policy introduces processing you didn’t describe before, you’ll need a valid lawful basis before using existing data that way. You can’t simply backdate new permissions.
What happens to old consents under a new privacy policy?
Consents given under the old policy remain valid as long as the activity and lawful basis haven’t changed.
Example: if you had consent to send newsletters, that still stands. But if you now want to run customer data through an AI analysis tool, you must check whether:
- the old consent covers it, (unlikely unless you already updated your data privacy policy for AI) or
- another lawful basis is more appropriate.
This is exactly where many business owners businesses trip up — they assume “consent” covers everything. It doesn’t. Where consent is needed (and that is not all the time) it is very specific. You can’t consent in in advance to anything that might happen!
Notify customers of privacy policy updates
Notifying means telling or informing. It does not mean seeking consent. The ICO requires your policy to be:
accurate, up to date, and easy to access.
Best practice for issuing your new data privacy policy
- Complete the last updated field in your data privacy policy.
- Keep an archive of older versions (for accountability, you never know when someone within your data retention period may have a query or a complaint).
- Notify clients of substantive changes (new lawful bases, AI use, right to complain).
Options to notify:
A banner or pop-up on your site. If you have the tech skills that’s a great thing to do.
A short note in your newsletter.
An email to your mailing list.
Example wording:
“We’ve updated our privacy policy to include new information about your right to complain and how we use AI in our services. Nothing else has changed in how we handle your data. You can read the updated version here [link].”
If something else has also changed, then you will need to amend the wording .
The link would be to your sharepoint, or website depending on which level you purchased and how you are sharing the policy.
Why this matters
We didn’t invent the need for a privacy policy — or the requirement to keep it up to date. That comes directly from the ICO.
The ICO reminds businesses that privacy information must be clear, transparent, and regularly reviewed. You can see their guidance here.
That can feel daunting — which is why having a straightforward template, plus the know-how to issue updates properly, makes all the difference. By keeping your policy current and telling clients about meaningful changes, you protect yourself and build trust.
If you are updating your policy for AI and the new complaints procedure, this is a great opportunity to make sure the rest of it still works too. It is easy to forget new software, apps, outsourced team members or new processes and things to do with data.
Next steps: beyond a data privacy policy update
Updating your policy is only part of the picture. The real challenge is understanding lawful bases. That is one of the biggest headaches for KoffeeKlatch customers. If you don’t understand that then completing your data privacy policy can be really challenging.
Get them wrong, and your policy update won’t hold up if questioned.
Our GDPR Online Programme takes you through lawful bases step by step, with templates, walkthroughs, and support designed for you – not big corporates with teams and directors who have time for all this. And a fully editable and up-to-date, data privacy policy is included.
