Have you updated your company’s privacy policy ready for GDPR? If not, now is the time to do so. Here are 5 Things You Must Have in Your Privacy Policy for GDPR:
Control where your data is and how it’s stored, shared and accessed
With the arrival of the GDPR, your privacy policy will start to play an even more important role in how you inform users, customers, prospects of how you collect their personal data. Hopefully by now you have gone through the process of auditing what personal data you are collecting, for what purposes you are processing such personal data and what the legal basis is for doing so. Next step is to update your privacy policy to ensure that it is transparent and GDPR compliant.
Articles 13 and 14 of the GDPR explicitly require companies to inform people (or data subjects) of key things about how their personal data is collected, what purpose it is being used for, the legal basis for processing their data and more.
Under the GDPR privacy notices must be concisely written, intelligible, transparent and easily accessible.
Privacy notices must be concisely written, intelligible, transparent and easily accessible Click To TweetPractically this means that the policy should:
- be displayed prominently and not hidden amongst other terms and conditions that would make people have to read large amounts of text;
- for online privacy policies you should adopt a layered approach, so show a short summary of the important or unusual uses of their personal data and then provide a link to click for information that is more detailed;
- use language that is clear, straightforward and free from jargon;
- use headings to break the policy down into relevant sections.
Here are 5 key things to make sure are included in your Privacy Policy
1. Who They Can Contact And How They Can Contact Them
You need to let people know who they can contact should they wish to submit a Subject Access Request (or SAR) to find out what data you hold on them. If your organisation is required to have a Data Protection Officer, your privacy policy should give details of who that is.
You also need to give people clear information on how to contact the right person in your organisation.
Practical tip: If you have a form on your Contact Us page, then add a “data request” option to it. Or add clear information on your Contact Us page about how to get in touch with the right person.
Recommended reading: 5 Key Things About Data Not to Miss in the GDPR
2. What Legal Grounds You Are Using to Collect Personal Data
There are six legal grounds under the GDPR for processing personal data.
1. Consent
Where the person has opted in and given consent for one or more specific purposes.
The data subject must be told that they can withdraw their consent at any time (and it needs to be as easy to withdraw consent as to give it). Consent also needs to be verifiable, so record keeping relating to consent is important.
2. Contractual necessity
Where it is necessary for a contract to take place.
3. Lawful processing
For compliance with legal obligations.
4. Vital interests
This could be for vital interest for the person or to serve public interest.
5. Public interest
E.g. for scientific research, public health etc.
6. Legitimate interest
Perhaps the trickiest to get to grips with but think of it this way, even when data processing is necessary to the controller, such legitimate interests must be weighed against “the interests or fundamental rights and freedoms of the data subject”. Should data controllers justify processing without consent based on this subparagraph, they will need to be prepared to prove legitimate interests (a higher burden) relative to the implied general interests of data subjects.
The GDPR also explicitly focuses on the case when the data subject is a child and parental permission is always needed. Moreover, the GDPR also explicitly says that the legal ground of legitimate interest doesn’t apply to personal data processing by public authorities in the performance of their tasks. If the legal basis for processing is legitimate interest, then organisations will have to set out in their privacy policies what exactly their legitimate interest is.
Recommended reading: There May Be Some Surprising Benefits of GDPR
3. What Personal Data You are Collecting and Their Rights
You need to tell people what personal data is collected (for example name, address details, card details, technical information (such as IP address) etc); if you are using cookies then the type of cookies used should be detailed too.
You need to inform people of their rights and how they can exercise them. There are 6 particular rights of individuals under GDPR:
- Subject access – If a customer or prospect submits a Subject Access Request (SAR) then you have to respond within 30 days and supply them with a copy of the information you hold on them.
- To have inaccuracies corrected – Having obtained a copy, if they require inaccuracies to be corrected this has to be done in a timely manner.
- To have information erased – If someone wants to be “forgotten”, then you have to delete them from your data.
- To object to direct marketing – You must remove them from your marketing communications if requested. And more importantly, you now need to be able to show that they gave consent to be on your marketing list.
- To restrict the processing of their information – This means that an individual can limit the way that an organisation uses their data. It’s an alternative to requesting that their data be erased. This includes automated decision-making.
- Data portability – You need to be able to provide the data electronically and in a commonly used format.
Recommended reading: A Practical Guide to the Principles of GDPR and Data Protection
4. How Long the Personal Data Will Be Kept For
You have to tell people how long their personal data will be retained for. This means you should:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
Recommended reading: How to Leverage GDPR For Marketing Your Business
5. Whether Personal Data is Processed Outside of the EAA
If you are processing their personal data outside the European Economic Area (EEA) you have to inform them and also tell them what protections are in place to safeguard the personal data.
Finally, don’t forget these:
- A reminder that people can withdraw consent.
- Tell people that they can complain to the relevant supervising authority.
- Give them information about automated decision-making, including profiling that you are using.
If you have covered these 5 key things and made sure your privacy policy is easy to read, easy to understand and easy to access then you should be in good shape for GDPR compliance.
Ready to give Rinodrive a go? Signing up for a free trial is just
Have you updated your company privacy policy? Did you find this article useful? Tell us your thoughts in the comments below.
Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).
About The Author:
Before joining Rinodrive, Jill Holtz founded Mykidstime.com and Digital4Sales.com, as well as a spin-off company Clearbookings.com.
In her past life, Jill worked in CRM and Marketing Support managing projects for British Gas, Royal Bank of Scotland, Barclays Bank, AIB, as well as holding product management and communication roles in several technology companies. Jill holds a BSc in Mathematics from University of Glasgow, an MSc in Operational Research from University of Strathclyde and a 1st class honours Executive MBA from NUI Galway. Jill was included on Technology Voice’s 2014 list of Ireland’s Talented Technology Women. She has a passion for digital and social media marketing and is an experienced writer and speaker.
More posts by