Under GDPR you are obliged to give individuals information about how you use their personal data, and you must do this in a clear, jargon-free way. Your privacy policy should be designed with this in mind. A well-drafted privacy policy will go a long way toward ensuring that you obtain the fully informed consent of individuals to the processing of their data.
In this article we suggest ways in which you can ensure your organisation’s privacy policy is GDPR compliant and fit for purpose. If you're unsure about your business's current privacy practices or need help drafting a privacy policy for your business, one of our expert data protection solicitors would be glad to assist.
We'll consider:
What is a privacy policy?
A privacy policy sets out details of the data you hold on individuals, how you use it and why you use it. It usually appears on your website or through a link from emails or other forms of correspondence sent by your organisation.
In the context of GDPR there is a greater onus on companies – as data controllers and processors – to provide information about privacy in a concise, straightforward, and transparent manner.
GDPR is all about giving individuals greater control over their personal data. Under Articles 13 and 14 of the regulations, individuals have a right to be informed about how their data is used - your privacy policy should be designed to enable your clients and customers to exercise this right.
How to make sure your privacy policy is GDPR compliant
Making sure that your policy meets all the requirements of the evolving data protection landscape means following guidance provided by the Information Commissioner and paying careful attention to the content of the regulations themselves.
A list of what information your privacy policy should contain, and the activities is could cover can be found in our guide to privacy policies.
This privacy information should be provided to the individual at the time you collect the data.
Is your privacy policy displayed clearly?
We mentioned above the emphasis GDPR places on making information about personal data clear, concise, and straightforward. Even if you provide all of the privacy information required by the rules your privacy policy won’t be truly GDPR compliant if it is not easily accessible. This means:
- Displaying the policy prominently on your website and giving details of where it can be found on company stationery and related materials. If you intend the policy to appear on smaller mobile devices you must ensure the wording appears clearly in the reduced screen space.
- Keeping the wording jargon-free. It should be easily understood by those with no background in data protection law and should be set out in an easily digestible way, for example with short paragraphs and clear headings.
- Where appropriate, you can layer the delivery of the policy (for example providing a summary followed by a link to the full policy wording).
Is a privacy policy required by law?
Articles 13 and 14 of the GDPR set out the privacy information you must provide individuals when you have obtained their personal data. The articles enshrine the right to be informed which is fundamental to the whole operation of GDPR. How you provide this information is up to you – but it is certainly a legal requirement, and a data breach could lead to stringent fines and other regulatory intervention. A privacy policy is probably the most effective way to ensure you ensure protection of the right to be informed.
You should remember that a compliant and comprehensive privacy policy isn’t just in the interests of individuals. It will also benefit your organisation because it will encourage consumers to trust you with their personal information.
Why is a privacy policy important?
Implementing a GDPR compliant privacy policy means you are being honest and open with individuals about how you use their data. You are also empowering those individuals to exert control over how their data is used.
Privacy policies matter in a number of ways:
- The individuals whose data you are processing are normally your customers or clients. From a business perspective it’s crucial to keep them on side. Explaining how you use their data in a frank and easily digestible way will engender their trust and willingness to provide you with data – data that could be critical to the success of your business.
- If you process data in a way that’s not transparent you can increase the risk of misuse of the data. This could potentially lead to a data breach (and regulatory intervention) or instances of discrimination or prejudice that could leave your organisation exposed to damaging legal claims. Both regulatory intervention and legal action could significantly harm your commercial reputation.
- The exercise of drafting and keeping a privacy policy under review will help you deal with GDPR compliance more broadly. The background work required for an effective privacy policy – data audits for example – will force you to assess and question the way your organisation handles the data it holds.
You can find answers to common queries around compliance in B2B and B2C contracts, marketing and sales processes in our business guide to GDPR compliance.
Can’t you just copy someone else’s privacy policy?
There is certainly a temptation with certain areas of GDPR compliance, including the provision of privacy information to use online templates or simply copy the policy of another organisation. While it may be possible to use a template privacy policy if you are engaged in only basic, low volume transactions we wouldn’t encourage their use in most cases. Here’s why:
- An effective privacy policy requires careful thought - only you know what information you are processing and the type of individual whose data you are collecting.
- You will probably have to carry out some form of data audit before finalising your privacy policy to determine how you use the data you hold, how long you hold onto it and who you share it with. Only with these details can you sensibly frame your privacy policy.
- The data audit should also address issues such as the lawful basis you rely on for processing the data and what rights individuals have in relation to the type of data you hold. Again these details will inform you policy in a way that a template or copied policy won’t be able to.
