In the context of GDPR there is a greater onus on companies – as data controllers and processors – to provide information about privacy in a concise, straightforward, and transparent manner.
Making sure that your policy meets all the requirements of the evolving data protection landscape means following guidance provided by the Information Commissioner and paying careful attention to the content of the regulations themselves.
This privacy information should be provided to the individual at the time you collect the data.
- Displaying the policy prominently on your website and giving details of where it can be found on company stationery and related materials. If you intend the policy to appear on smaller mobile devices you must ensure the wording appears clearly in the reduced screen space.
- Keeping the wording jargon-free. It should be easily understood by those with no background in data protection law and should be set out in an easily digestible way, for example with short paragraphs and clear headings.
- Where appropriate, you can layer the delivery of the policy (for example providing a summary followed by a link to the full policy wording).
Privacy policies matter in a number of ways:
- The individuals whose data you are processing are normally your customers or clients. From a business perspective it’s crucial to keep them on side. Explaining how you use their data in a frank and easily digestible way will engender their trust and willingness to provide you with data – data that could be critical to the success of your business.
- If you process data in a way that’s not transparent you can increase the risk of misuse of the data. This could potentially lead to a data breach (and regulatory intervention) or instances of discrimination or prejudice that could leave your organisation exposed to damaging legal claims. Both regulatory intervention and legal action could significantly harm your commercial reputation.
You can find answers to common queries around compliance in B2B and B2C contracts, marketing and sales processes in our business guide to GDPR compliance.
- The data audit should also address issues such as the lawful basis you rely on for processing the data and what rights individuals have in relation to the type of data you hold. Again these details will inform you policy in a way that a template or copied policy won’t be able to.