Ah, the riveting world of privacy policies. Not the most exciting topic to be researching, but a necessary one all the same. It is absolutely mandatory for a website to have a privacy policy if said website is gathering and processing information from its visitors. It only takes one user to report your lack of policy, and this could be the spark for an investigation, so there is absolutely no need to take the chance. This privacy policy needs to explain your data-handling processes in detail; Gloss wants to let you in on the necessities in your privacy policy so you’re confident that you’re fully covered. The depth of your privacy policy does differ from company to company, but these are the essentials.
The Essentials
Contact Details
The first thing needed in your privacy policy is your company contact details and information. This includes; company name, address, email address and phone number. That’s a bare minimum for any privacy policy. The next facet is where policies already start to differ. If you have appointed a DPO (Data Protection Officer) and/or a representative, their contact details should be included.
Data Type
The next step of a privacy policy is stating what type of data and personal information your company collects. This has to be quite specific, so you would not be able to get away with stating that your company collects ‘Financial Information’, it needs to specify what financial information. For example, debit/credit card numbers, account numbers, names etc. You need to be very meticulous and provide all of the information you collect. One more thing on this topic, you will need to specify how your company gained this data if it isn’t gathered directly from the data source.
Legal Basis
Under the guidance of GDPR (General Data Protection Regulation,) there has to be a lawful basis for your company to gather information and data from your visitors/customers. Your company’s privacy policy needs to specify what law(s) you’re basing your reasoning on.
Storing of Data Length
There is only a certain amount of time you are allowed to store data; the GDPR states you can only store the information for as long as the legal basis processing is applicable. These can change over time, so it is important to update data retention policies every couple of years. For more info on how long you can store data for, see here.
The Details
If you want a more accurate and extensive breakdown of privacy policies, below states the process in detail.
- Name and contact details of the company.
- Name of data protection officer and how to contact them.
- The purpose of using people’s data (what do you plan to do with it and/or why you require it.)
- What law are you using to collect the people’s data (see Laws to follow below) and to clearly write that law in the privacy policy; e.g. “This is in accordance with Article 6 of GDPR consent law.”
- Where is the personal data stored? Should be in a safe, secure location.
- How is that information protected?
- Who do you share the personal information with, if any? Even if a third party handles and shares the date with others.
- If you plan to do something else with the data once collected for the original reason.
- Tell people if you transfer the data to other countries outside the EU and thus the loss of GDPR.
- How long will you keep personal data for? If not applicable, then the criteria used to determine how long that period will be.
- What rights do people have in relation to their data? E.g. access, rectification, erasure, restriction, objection, and data portability.
- Let people know they can withdraw their consent at any time and how to do it.
- Let people know they can file a complaint with the relevant authorities.
- Make sure the authorities contact details also provided, for the UK that is ICO.
- If people are required to provide their personal details to you, to use your service.
- Whether you make decisions based on profiling from the data that is collected by you.
- Consent should be opted in (no ticked boxes) and listed separated from the terms and conditions of the website.
- If any cookies store data. If they do then this should clearly be stated with what is collected, why it’s collected and how it can be erased, changed or restricted. For more info on cookies, see here.
- Adopt a style that your audience will understand, avoid confusing terminology or legalistic language.
The Laws To Follow
One of these laws must apply when writing the privacy policy:
(a) Consent: the individual has given clear consent for you to process
their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the
individual, or because they have asked you to take specific steps before
entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with
the law (not including contractual obligations.)
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in
the public interest or for your official functions, and the task or function
has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate
interests or the legitimate interests of a third party, unless there is a good
reason to protect the individual’s personal data which overrides those
legitimate interests. (This cannot apply if you are a public authority
processing data to perform your official tasks.)
Final Points
A lot of companies think it is a good idea to simply copy another organisation’s privacy policy and paste it onto their website. Not only is this a bad idea due to the fact that it is more than likely a custom privacy policy, it could also land you in legal trouble. A company’s privacy policy is copyrighted material, therefore, duplicating it onto your website is an infringement of the copyright law.
It isn’t the most exciting thing to do, but make your own custom privacy policy and make sure it is totally applicable to your data collection purposes.