Why small organisations struggle with privacy policies

Many policies are copy-pasted from templates designed for large companies. These documents include features you do not use and promises you cannot keep.

This creates risk. If your policy says you do something, legally you must do it. If you don’t, the policy becomes evidence against you in a complaint.

What a small organisation actually needs to cover

A good privacy policy answers five questions clearly:

• What data do you collect.
• Why do you collect it.
• Where do you store it.
• Who has access.
• How long you keep it.

Anything beyond that should only be included if it is real.

A structure that works

You can use this simple structure for almost any small organisation:

1. Who we are
2. The data we collect
3. Why we collect it
4. How long we keep it
5. Who can see the data
6. Where the data is stored
7. Your rights
8. How to contact us

Common mistakes to avoid

1. Mentioning tools you do not use

If your policy says you use advanced analytics, profiling, or automated decision making, that becomes a liability when you don’t.

2. Promising things you cannot enforce

Example: “We delete emails every 30 days.” If you do not have a process to guarantee that, remove it.

3. Adding long GDPR explanations instead of clear answers

A privacy policy is not a law textbook. Visitors want to know what you actually do, not what the law says in theory.

What to write if you are not sure

When in doubt, keep it honest and simple:

We only collect the information you choose to send us via our contact form or email. 
We use it to reply to your message. 
We do not sell it, and we do not share it with third parties unless required by law.

You can find more guides in the Ki-Ki knowledge hub.

Talk to Kieron