Storing of Data Length
There is only a certain amount of time you are allowed to store data; the GDPR states you can only store the information for as long as the legal basis processing is applicable. These can change over time, so it is important to update data retention policies every couple of years. For more info on how long you can store data for, see here.
If you want a more accurate and extensive breakdown of privacy policies, below states the process in detail.
- Name and contact details of the company.
- Name of data protection officer and how to contact them.
- The purpose of using people’s data (what do you plan to do with it and/or why you require it.)
- Where is the personal data stored? Should be in a safe, secure location.
- How is that information protected?
- Who do you share the personal information with, if any? Even if a third party handles and shares the date with others.
- If you plan to do something else with the data once collected for the original reason.
- Tell people if you transfer the data to other countries outside the EU and thus the loss of GDPR.
- How long will you keep personal data for? If not applicable, then the criteria used to determine how long that period will be.
- What rights do people have in relation to their data? E.g. access, rectification, erasure, restriction, objection, and data portability.
- Let people know they can withdraw their consent at any time and how to do it.
- Let people know they can file a complaint with the relevant authorities.
- Make sure the authorities contact details also provided, for the UK that is ICO.
- If people are required to provide their personal details to you, to use your service.
- Whether you make decisions based on profiling from the data that is collected by you.
- Consent should be opted in (no ticked boxes) and listed separated from the terms and conditions of the website.
- If any cookies store data. If they do then this should clearly be stated with what is collected, why it’s collected and how it can be erased, changed or restricted. For more info on cookies, see here.
- Adopt a style that your audience will understand, avoid confusing terminology or legalistic language.
The Laws To Follow
(a) Consent: the individual has given clear consent for you to process
their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the
individual, or because they have asked you to take specific steps before
entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with
the law (not including contractual obligations.)
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in
the public interest or for your official functions, and the task or function
has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate
interests or the legitimate interests of a third party, unless there is a good
reason to protect the individual’s personal data which overrides those
legitimate interests. (This cannot apply if you are a public authority
processing data to perform your official tasks.)