In the context of GDPR there is a greater onus on companies – as data controllers and processors – to provide information about privacy in a concise, straightforward, and transparent manner.
Making sure that your policy meets all the requirements of the new data protection landscape means following guidance provided by the Information Commissioner and paying careful attention to the content of the regulations themselves.
- Your organisation’s address and contact details.
- Who is the data controller and how he or she can be contacted.
- The type of personal data you are collecting.
- Why you are collecting the data and the lawful basis for doing so.
- Whether you intend to share the data.
- Whether the data will be transferred outside Europe.
- The choices individuals have about how their data is used and how they can exercise those choices.
- Data retention periods.
- How individuals can exercise their rights of deletion and correction of the data and how they can withdraw their consent to you processing their data.
- The nature of your complaints process and clear information in how an individual can contact the ICO.
This privacy information should be provided to the individual at the time you collect the data.
- Displaying the policy prominently on your website and giving details of where it can be found on company stationery and related materials. If you intend the policy to appear on smaller mobile devices you must ensure the wording appears clearly in the reduced screen space.
- Keeping the wording jargon-free. It should be easily understood by those with no background in data protection law and should be set out in an easily digestible way, for example with short paragraphs and clear headings.
- Where appropriate, you can layer the delivery of the policy (for example providing a summary followed by a link to the full policy wording).
Privacy policies matter in a number of ways:
- The individuals whose data you are processing are normally your customers or clients. From a business perspective it’s crucial to keep them on side. Explaining how you use their data in a frank and easily digestible way will engender their trust and willingness to provide you with data – data that could be critical to the success of your business.
- If you process data in a way that’s not transparent you can increase the risk of misuse of the data. This could potentially lead to a data breach (and regulatory intervention) or instances of discrimination or prejudice that could leave your organisation exposed to damaging legal claims. Both regulatory intervention and legal action could significantly harm your commercial reputation.
- The data audit should also address issues such as the lawful basis you rely on for processing the data and what rights individuals have in relation to the type of data you hold. Again these details will inform you policy in a way that a template or copied policy won’t be able to.