The General Data Protection Regulation (GDPR) is a European privacy law that goes into effect on May 25, 2018. GDPR sets new standards for EU companies about how companies collect personal data and alert users about privacy information.
To prepare for the coming changes, many businesses located in the EU or have European clients may need to update their privacy policies so they can adhere to the new regulations.
Under GDPR, privacy policies are very important. GDPR states that every business must have a clear, plain-language privacy policy available that includes details about how they collect and use personal data.
If you don’t already have a privacy policy, now is a great time to write one! Let’s take a look at what a privacy policy is, why you may need one, and you should look for when writing one for your business.
Note: This resource does not constitute legal advice nor provide specific instructions on what your particular business should do. It is merely provided as a courtesy to give you an overview of GDPR and Privacy Policies. We are not based in the EU, nor are we legal experts! Please check specific GDPR requirements here: https://gdpr-info.eu/
What is a privacy policy?
A privacy policy is a publicly available document that explains how a business collects, shares, and manages personal data.
Privacy policies should list what personally identifiable information it gathers (like names, email addresses, phone numbers, physical addresses, birth dates, financial data, etc.) and why it is collected. Privacy policies should also explain if the business’s website uses cookies, collects tracking data, and shares or sells any information with other entities.
Article 12 of the GDPR states that you need to deliver this information to clients in a way that is:
-
Concise, transparent, intelligible and easily accessible;
-
In clear and plain language; and
-
Free of charge.
Each business collects and handles customer, client, and employee data in a different way, so there’s no one-size-fits-all privacy policy. When writing your own privacy policy, you need to consider your business’s unique data collection and management strategy to write a policy that works for your business.
Why is updating my privacy policy important?
Beyond simply complying with new regulations, updating your privacy policy to be more transparent builds trust with users. Evaluating your data collection and management strategy makes business safer overall. And having a clear roadmap for data security makes it easier to respond to issues if they ever arise.
For example, happens if you have a data breach? As a small business owner, you may have never thought about this! But planning your response now will allow you to act quickly and appropriately if something ever were to happen.
Plus, now that privacy policies must be clear, concise, and intelligible, people will be able to understand how their data is used… which is good for everybody!
What goes in a privacy policy?
Articles 13 and 14 of the GDPR describe what is needed in an updated privacy policy.
In summary, GDPR asks you to disclose the following:
-
What personal information you collect
-
How and why you collect this data
-
How data is used
-
How data is secured
-
If you share or sell data to any third parties
-
If you use cookies
-
How users can get information about the data you have on them, raise a complaint, control how their data is used, or ask to be forgotten
All of this should be described in a way that is easy for the average person to understand. This information must be readily available for customers to access. Your goal is to make this information as easy to find, read, and understand as possible.
(For full detail about what should be included, please refer to articles 13 and 14 of the GDPR. In addition, the ICO provides a great summary and resources for what you should include and disclose to customers.)
Where should I display privacy information?
GDPR mandates that a business’s privacy policy be easy to find and available free of charge. You should definitely put a link to your privacy policy in the footer or menu of your website so that customers can find and read it anytime.
In addition to making your full privacy policy available, you may also need to provide short “just-in-time” privacy notices when personal data is collected that summarize what data is being collected and why. (For example, on a subscription form.)
These short privacy notices are simple, to the point, and often link to the full privacy policy for users to read more. (The ICO has great examples and more information here.)
Note: displaying simple privacy notices at sign-up is great! But you will still need a full privacy policy if your business falls under the GDPR.
Where can I get more information about Privacy Policies?
In summary, if your business is affected by GDPR, please take the time to look over and revise or update your privacy policy to meet the new standards.
Your updated privacy policy will need to be easy to read, easy to understand, and easy to find for the average user. Add your privacy policy to your website. Include privacy notices where needed on sign-up forms, and get clear consent when users sign up.
To learn more about writing your GDPR privacy policy, visit the following sources:
0 Comments