Posts Tagged ‘privacy policy’

|

How to draft a privacy policy

Article 13 of the UK GDPR states that at the time you collect personal data from individuals you must provide them with certain information.  The usual way of providing this information is via a privacy notice (also called a ‘privacy policy’ or, in GDPR-speak, a ‘fair processing notice’), which is made available to the individual when their personal data is collected, often via a website link like this one.  The privacy notice must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).

Where you are not collecting the personal data directly from the individual, Article 14 requires you to provide the individual with the same information as under Article 13 “within a reasonable period after obtaining the personal data, but at the latest within one month”.

Information audit

The first step is to carry out an information audit (also called a ‘data mapping exercise’) so that you understand:

Privacy notice

The next step is then to create the privacy notice by documenting the output of your information audit.  The format and content of an organisation’s privacy notice will of course vary from organisation to organisation, but for many businesses the following list should be a useful start:

  1. Name of and contact details for the organisation(s) collecting the personal data, i.e. the identity of the controller providing the privacy notice.
  2. The types of personal data the controller collects, and how the personal data is collected.
  3. Whether any of the personal data constitutes special category data.
  4. What the controller intends to do with the personal data.
  5. The lawful basis for processing the personal data.
  6. Whom the controller shares the personal data with, and why.
  7. Whether the controller transfers any personal data outside the UK, and if so details of the relevant transfer mechanism.
  8. How long the controller keeps the personal data.
  9. How the controller keeps the personal data secure.
  10. If the individual is required by law or by contract to provide the personal data, consequences of not providing it.
  11. Whether the controller uses automated decision-making, including profiling, and if so details of logic involved and consequences of processing for the individual.
  12. What rights the individual has in relation to their personal data.

Final thoughts…

Tags: , , , , ,
Posted in Privacy, Updates | No Comments »

Get in touch

  • Your email address will only be used to respond to your message