The GDPR outlines a number of new and updated principles that companies must comply with when collecting and storing personal information. These changes aim to protect the privacy of EU citizens, requiring greater transparency from companies and granting private persons more rights regarding their own data. This trend in legislation has spread around the world, inspiring privacy laws that will affect almost every company worldwide. Even if your company is based in a region that does not have such stringent requirements for data privacy, if your website is available to EU citizens and others who enjoy the rights and protections of data regulations, your company is required to keep up with such laws.
1. What kind of data is collected, how, and why?
This section should describe the purposes for which personal data is collected. There are different types of personal data, so mention each type you collect; for example, profile data, behavioral data, etc. Then be specific when explaining why the data is collected.
2. How is the data processed and kept safely?
Describe and explain how your company processes personal data. Specify the security measures your company takes to protect data. For example, do you use user authentication? Do you have a secure, encrypted mail or a system that can receive and handle personal data securely in other ways?
3. What are your users’ rights?
4. Is your policy up to date?
5. How can individuals contact you?
Include contact information. This is a way to build trust and show that your company will follow up on any inquiries about personal data. If you provide a request portal along with your contact info, even better. Directing users who want to make data access requests to do so online makes the request process simple and frustration-free on all sides.
6. How should a person make a complaint, if needed?
Article 13.2d of the GDPR requires companies to “…provide the data subject with the following further information necessary to ensure fair and transparent processing: …the right to lodge a complaint with a supervisory authority”. Consent forms and privacy policies can include the right to file a complaint and direct people to the proper government agencies/contact information to do so.
Download your free GDPR template here
- Clear and easy to understand, not vague
- Accurate and up to date, never misleading
The last one is especially important because you can be fined for providing inaccurate information. You are not required to have a legal team draft your policy or use contractual language but you should consult with others on your team to ensure you thoroughly understand how your company collects and uses personal data, to make sure all your statements are accurate.