How GDPR statements should be included in a privacy policy.  

Each Website is legally bound to provide a Privacy Policy.  This article advises how GDPR statements should be included in a privacy policy.  

All privacy notices that a business issues will have to be ‘transparent, concise and easily legible’, as well as being written in clear, plain English. No room for legal jargon!

With this in mind you need to consider – has your policy been updated to inform website visitors of your GDPR compliance?

Where is the privacy policy located? It needs to be easily identifiable which means including it within your website terms of use is not an option. Linking to it from the footer of the website will remain sufficient.

How clearly written is the privacy policy? The wording of the policy needs to be clear, which means that it not only has to be written in plain English, but matters such as the size of the font and the formatting of the page itself now become relevant.

So if your privacy policy is overly wordy, then you need to look at whether you can say what you are saying in a clearer, more concise manner!

Increased Provision of Information

As well as providing additional rights to the data subject, a key aspect of the GDPR is the provision of information to the data subject. GDPR sets out very specific requirements for what information must now be provided to data subjects in the privacy notice. These include:

1. The identity of the data controller

This will be you as the party that collects the data subject’s information. An individual has a right to know the identity of the legal entity that is collecting their data.

2. What choices the data subject has

The principle of ‘fair processing’ under GDPR requires that individuals must have control of their personal data. This requires that individuals are (1) given the option to request the deletion of their personal data and (2) told how they can do that.

3. What information is being collected

It will be necessary to be very specific in the description as to what data is collected from the data subject. Most frequently, this will be their name, address and email that are required for you, as the business, to fulfil the purpose for which the data subject provided their information to you.

4. How long the personal data is kept

Under GDPR, it is necessary to tell the individual how long the data will be kept for. If this cannot be determined, then the data subject must be notified within the Privacy Policy of the reason why. You can no longer simply state that the data will be kept ‘for as long as is necessary’!

5. Why the information is being collected

It is now necessary for you to set out exactly why you are collecting the personal information from the data subject. This may be to provide them with the download/ guide or service that they have requested. Be specific. As the ICO states, you should map out your data processing functions and then list the specific purposes for which the information provided will be used.

6. How long will the data be used and kept for

The new requirements state that an individual must now be notified as to how long their data will be kept. The time period must be ‘reasonable and directly related to the purpose for which the data was collected. This may be very different, depending on the purpose for which the data was collected.

7. Who will you share the information with

As the party that collects the data (the ‘Data Controller’) you will be intending to do something with that data. In many instances it will be necessary for you to pass that data to a third party to carry out the function. That party is known as the ‘Data Processor’ and it is your responsibility to tell the data subject who will be processing data on your behalf. It may also be the case that you will process the data internally, in which case you need to state that too.

8. Transfer of personal data outside of the EEA

The individual must be notified if their data will be transferred outside of the European Economic Area (EEA). There is the assumption that countries, that themselves are not bound by GDPR, may offer weaker data protection rights and regulation.

Accordingly, an individual must be notified if this will be the case, so that they have the choice as to whether they wish to provide the data and so consent to this.

Many businesses will transfer the data that they collect to a third party to process that data, for example, when passing data to a payment processing company, or to a company that does marketing for your business.

More and more businesses that use cloud storage services will store their customer data with a company based outside of the EEA.

The Rights The Data Subject Has

Under GDPR it will be a requirement to tell the data subject in the privacy policy what rights they have. These rights extend to:

  • The right to request that their data is deleted, corrected/brought up to date;

  • Request that their data is transferred to another party (this is part of the data portability requirement);

  • That they have the right to complain to a supervisory body and who that body is.

As you can see from the above, the information that must now be provided to a person using your website is extensive and significantly more detailed than the requirements under the Data Protection Act 1998. However using the above guidelines, you are now well-placed to update your privacy policy notice.

Leave a Reply

Your email address will not be published. Required fields are marked *