Privacy Notices Under GDPR: How to Draft a Compliant Statement
The deadline for the enforcement of the new General Data Protection Regulation (GDPR) is fast approaching and many businesses are still unprepared to address new privacy concerns and requirements.
GPDR changes are going to have the most profound effect on privacy policies and notices. The GDPR privacy notice has a couple of specifics that make it different from previous versions of the document. Currently, a privacy notice template is made available by the Information Commissioner’s Office. This is one of the official sources of information you can rely on to ensure compliance. Other privacy notice forms you find online could potentially be outdated, which will lead to a GDPR compliance failure.
What Does a GDPR Privacy Notice Have to Feature?
The aim of GDPR is to give internet users and website visitors full control over the manner in which their personal data is being used. The rights of website visitors, customers, and subscribers should be presented in a comprehensive privacy notice.
The privacy notice is a public statement that focuses on how personal and sensitive data protection principles will be applied in reference to the website’s functioning.
According to articles 12, 13 and 14 of the GDPR, a website’s privacy policy should be:
- Concise and written in a language that’s easy to understand
- Transparent and readily accessible on the website
- Free of charge
- Written so that a child could understand the information contained in it
There are numerous important questions that website privacy terms and conditions have to address in order to ensure GDPR compliance. A few of these key issues include:
- Information about the entity that is collecting data and how this data is going to be used
- What is the legal basis for the collection and the processing of personal or sensitive information
- Is the information going to be shared with third parties, how and why
- The amount of time during which personal and sensitive data is going to be stored
- The rights of the individuals who share their sensitive data with the entity
- The manner in which a complaint can be filed
- The manner in which website visitors can consent or withdraw consent to data collection
Drafting a GDPR-Compliant Privacy Policy
Most often, privacy notices are copy-pasted or filled with jargon to the point that they become completely illegible.
If your privacy notice isn’t simple, straightforward and well-written, you will have to rework it.
All manners in which personal data is going to be collected and used will have to be outlined. This means that if you use third-party products on the website (Google Analytics, email newsletter software) that require visitor information, your visitors should be informed.
A generic privacy policy is no longer going to cut it. It has to be specific and it has to provide details about the entity behind the website, the purpose of the website, data collection practices and the numerous ways in which such information is going to be used to enhance the visitor’s experience.
Official privacy notice templates can be quite helpful when attempting to draft a brand new document. In the absence of legal knowledge or experience, however, you may want to seek professional assistance. There are fines and penalties for compliance failures, which is why you can’t leave the drafting of your privacy notice to chance.
[…] good privacy policy should provide information […]