×

Prior to the GDPR passing, most people had no knowledge of what a Privacy Policy is, what it is used for, why and when it should be used. Having a GDPR compliant Privacy Policy is an integral element of being transparent with your audience, it also ensures that you are giving a data subject their Right to be Informed.

What is a Privacy Policy?

A privacy policy is a statement or a legal document that discloses some or all of the ways an organisation gathers, uses, discloses and manages a customer or client’s data. It fulfils a legal requirement to protect a customer or client’s privacy.

As part of this article, we look at what is required to be in a Privacy Policy, in order for it to be compliant. At the very minimum, a data subject needs to be informed about:

What data do you collect?

Data subjects need to be aware of what data you actually hold, and this can range from name and contact details to bank details to special category data. This especially applies to when a child’s data is collected.

Why do you collect the data?

There must be a purpose for you collecting the data.

Who will the data be shared with? And why?

What third parties will you be sharing the data with and why they need to have their data. This helps build transparency and also give the data subject more control over their data. There is no requirement to name specific third parties, however, you can just mention e.g. ‘your personal data will be shared with external lawyers for XYZ purposes’.

If you will be transferring the data internationally and/or outside of the EEA?

This helps build transparency and also give the data subject more control over their data.

How long the data will be kept for?

This gives data subjects the knowledge of how long their data will be held for, again building trust and transparency.

Their rights.

Not only is this a specific requirement of GDPR but it also allows the data subject to know what they are entitled to under Data Protection.

The name and contact details of your Data Protection Officer / Representative (if applicable).

This gives the data subject the opportunity to speak to someone within your organisation if they have any GDPR questions, request and complaints.

The question a lot of ClearComm clients ask is, does the data subject have to consent to the Privacy Policy? The Clear answer is No. The requirement from GDPR is that the data is clear and easily accessible.

When does a Privacy Policy need to be provided?

Data given by the data subject.

If the data subject is giving the data directly to you then you must provide a privacy policy as the personal data has been obtained. As an organisation you must look at all of your data collection points, if the data is being collected electronically, then there should be a privacy statement or a link to your privacy policy. If the data is collected in hard copy, there should be a hard copy privacy policy provided to them or if their email has been collected, it is okay to email them a link to your privacy policy at the first point of contact.

Data obtained from public / online sources.

There may be instances in which data is obtained through other methods, for example for business generation purposes or over the phone. If you will be emailing the data subject from a corporate email address, then we would advise you to have a link to the Privacy Policy in the signature of your emails to cover the above scenarios or for even ad-hoc purposes.

Data obtained by a third party.

There may be occasions where an organisation may use a third party to collect data on the organisation’s behalf. When this is the case, the organisation must provide the privacy information to the data subject within a reasonable period of obtaining the personal data and no later than one when the first communication takes place.

Why is it important to have a Privacy Policy?

  • Being transparent towards your users is possibly the most important reason. Providing your clients and customers with a clear picture of why and how you process their personal data makes your clients feel secure
  • It’s the law and you’re required to comply with GDPR.
  • You may work with third party organisations, but they may not want to work with you if you do not have a Privacy Policy.