— May 23, 2018
Earlier this month, we published a guide on what you need to know about the EU’s General Data Protection Regulation (GDPR).
This regulation is effective May 25, 2018, and is designed to harmonize data privacy laws across Europe.
While GDPR requires a lot of things, one requirement you should know about is the requirement to have a privacy policy. Many businesses are already embracing, preparing, and communicating their privacy policy updates to their users reflecting the new requirements.
If you think you need to comply with the GDPR and you don’t have a privacy policy, you may need one, and if you do have one, you should make sure it’s updated to reflect what the GDPR says you need to put it into it.
If you are unsure whether the GDPR (or any other privacy requirements) apply to you and your business, you should talk to your legal counsel about whether you need to update or revise your privacy policy.
What is a privacy policy?
A privacy policy is a legal document that informs your customers and users about how you are handling their personal information. Under GDPR, this means “any information relating to an identified or identifiable natural person.” Note that in other parts of the world, different laws include different definitions of what personal information is, but the point here is that you need to tell people what your privacy practice is in regards to what information you collect, use, share, and disclose about them.
You also should give your customers and users information about what choices they can make about the information they have provided to you — for example, opting in or out of marketing communications, or requesting information be corrected or otherwise managed in a way that is in accordance with their wishes, subject to applicable laws.
What is personal information?
Personal information can include a range of information, such as name, address, email address, financial information, and other contact information. In some cases, it can also be information related to your digital life, like an IP address, geolocation, browsing history, cookies, or other digital identifiers. It also could mean information about a person, including their physical, mental, social, economic, or cultural identities.
Where to start with your privacy policy
The first thing you should do is consult with your legal counsel on your obligations under the GDPR and other relevant laws.
In a privacy policy, users want (and the GDPR says you must include) the following:
- Transparency
- Clarity
- Control over how their data is collected
- Control over how their data is used
- Communication
- Commitment to data privacy and security
After consulting your legal counsel, there are a few more steps you can take to launch a successful privacy policy, or update to your existing policy:
- Determine the legal basis for your use of personal data
- Develop a process to respond to requests made by individuals who want to exercise their rights under the GDPR
- Draft and/or update your policy and have your legal counsel review and approve
- Communicate your new policy, or any updates to your existing policy, to your users
You should consider including the following in your privacy policy:
- What specific data you are collecting
- How you will be using that data
- How you will be collecting that data
- Who you will share data with
- How long you will keep that data
- How you will store that data
- How you will protect that data
In addition, you may want to think about whether you should include information about how a user may express a preference about marketing, or if they want to make a request about information you have about them, such as to access, correct, modify, or in some instances, delete the information you have about them (again, you should talk to your own legal counsel about the particular categories you should have in your privacy policy).
Get started with your privacy policy
When it comes to anything related to compliance and legal issues, it is important to take action. You certainly do not want your business to fall victim to avoidable fines and legal consequences. Whether it is because of GDPR or other legal requirements, a privacy policy is a must have for any business operating today.
Once you have your privacy policy up and running, it is time to start using it. Make sure it is easy to find on your website and available to view whenever you ask for personal data.
NOTE: This information is not a substitute for legal advice.
Business & Finance Articles on Business 2 Community
(78)