In the scramble of the final days leading up to the 25th of May 2018, Google crawl bots would have noticed universal updates taking place across the internet. Privacy policies for an unquantifiable number of organisations and companies were being adapted to fit the GDPR.
Prior to this event you may have been forgiven for not knowing what a privacy policy is; today it has become an integral part of any knowledgeable GDPR conversation worth joining. So, for fear of being behind the times, let's explore what a privacy policy is and how to make sure yours is ready for the doomsday that is the GDPR.
What is a Privacy Policy?
A privacy policy is a statement, generally available on a public website, which details how your organisation complies with the principles of the GDPR and how it processes personal data.
While not expressly required under the GDPR, articles 12, 13 and 14 require that data controllers are transparent and clear with data subjects, regarding their intended processing activities. Rather than bulking out forms and other data collection points, many are choosing to dust off their old privacy policy as a one-stop shop for all things data protection.
[You may also like "Exercising Your Legitimate Interests with the GDPR"]
How to Write a Privacy Policy
To write an effective privacy policy consider the following tips.
1) Describe who is collecting the personal data and what is being collected - List any names which your organisation is listed under, their general business activity descriptions. Include a summary of the types of personal data that you collect and process, for example any website interaction data such as cookies or any form based personal data such as newsletter sign-ups.
2) Include your legal basis for processing, whether that be through seeking consent or legitimate interests - Make sure you can justify your processing, particularly in the case of legitimate interests. When using this legal basis for processing, you will need to have evaluated the impact processing has on data subjects.
3) List any third-parties or external processors who may be supplied any of the collected personal data, including the processing activity to be carried out - Remember to include even the most benign examples such as Google Analytics or your marketing automation platform, in the case of website interaction data.
4) Detail how long you intend to retain any collected and processed personal data - Indefinite is not an acceptable value and needless to say, the retention periods specified in your privacy policy must reflect their reality.
5) Provide instruction on how data subjects are able to exercise their rights and the channels to use - Examples might include a form for requesting a subject access request or a phone number to use in the case of objecting to processing. Also include a general contact for the person responsible for data protection in your organisation.
On Public Display
While a privacy policy is not expressly required by the GDPR, it has become somewhat a tool for the public to judge an organisation's data protection credentials on. As the world and data subjects become more intune with data protection and their privacy rights, privacy policies are likely to become a critical point upon which choices will be made between competitors.
[You may also like "GDPR & Personal Data in the Public Domain"]
Getting your privacy policy right now will not just help you with the GDPR but will become a promotional tool for your organisations good practices.
