A Guide to Writing Privacy Policies
What does the GDPR say about privacy policies?
Under the GDPR, rules on how organisations provide privacy information to individuals are more detailed and specific. The emphasis is on making privacy notices understandable and accessible to individuals, and organisations are expected to take appropriate measures to achieve this.
Article 12 of the GDPR specifically states that the data controller (the organisation) should provide any information relating to processing of personal data to data subject (an individual) in a way that is:
• concise, transparent, intelligible and easily accessible;
• written in clear and plain language, particularly if addressed to a child; and
• free of charge
In Article 13 the GDPR provides further details of what information must be provided to individuals when their personal information is collected.
The ICO has published a Guide to Privacy Notices. In this the term “Privacy Notice” applies both to the information individuals are presented with when they provide their details (i.e. permission statement/data collection form) and more detailed privacy policies.
What areas should organisations cover in their privacy policies?
Use the following checklist to help you:
1. Identify the data controller (i.e. the organisation) and provide the name and contact details of the Data Protection Officer (or other nominated person given that responsibility)
2. How do you collect personal data (e.g. on-line, face to face, over the phone, in writing, etc)?
3. Do you source any personal data from publicly available sources and/or from third party data vendors? What do you know about how that data was collected and how the individual data subjects were informed about what would happen to their personal data?
4. Explain what personal data you are collecting? (i.e. the type of data routinely collected – for example this could include postal address, email, credit card details, date of birth, etc.)
5. Purpose? Outline what you intend using the data for. For example, is it to provide a service to individuals, to send marketing communications to them (where they have agreed for you to do so) and/or for administrative purposes, etc.
6. Detail each of the individuals’ rights, where relevant (i.e. to withdraw consent, to object to processing, to request rectification/erasure, data portability, submit a Subject Access Request). Ensure you have clear and easy ways for individuals to exercise these rights.
7. Explain the people have the right to lodge a complaint with a supervisory authority. In the UK this would be the ICO, so consider providing their contact details (e.g. link to their website).
8. What legal basis are you relying on to process the personal data? (e.g. consent, contract, legal obligation, public interest, vital interests or legitimate interests)
9. If you are relying on legitimate interests explain what they are
10. Provide assurances that appropriate safeguards are in place to ensure personal data is kept secure
12. Consider whether you are collecting special categories of personal data and/or children’s data. If so explain what extra measures you have in place to offer assurances that it is securely protected.
13. Is the personal data shared with other organisations? If it is shared provide details of the recipients of the data.
15. Make reference to your organisation’s data retention policy? (see GDPR Data Retention Quick Guide)
16. If the provision of data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, ensure this is clearly stated together with any consequences of refusing to supply the data.
17. Leaving your website. Explain that any external links are not your responsibility and that once a user clicks on a link to an external site it will be subject to that organisation’s privacy policies, not yours.
The ICO recently took part in an international study into website privacy notices alongside regulatory bodies from other countries. Generally, the findings showed that privacy notices were too vague and generally inadequate. The UK Regulator reviewed thirty privacy policies in various sectors and found them lacking.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.