GDPR Privacy Policy – What needs to be in it?

GDPR Privacy Policy

GDPR demands that each organisation implements appropriate privacy arrangements and that it can inform all involved parties of those arrangements by publishing a privacy statement or policy. Your duty to proactively inform and provide transparency on the personal data you use and your privacy position is one of the key requirements of GDPR. Only when those interacting with your firm are duly informed, they can make an informed decision as to whether or not they are willing to enter into business with you.

In short, without a published privacy policy, you are definitely not GDPR compliant and risk challenges from customers, staff, suppliers and the regulator.

Just copying and pasting a privacy statement from the internet is likely to cause more harm than good. GDPR requires your communications to be specific to the way your firm operates. Boilerplate or catch all statements, vague or overly complex legal jargon is explicitly stated as non-compliant in the GDPR regulation.

Surely in this day and age, you want to give privacy the attention it deserves and do it properly. It is not that hard, and we at GDPRWise can certainly help. If you already have a privacy policy you can GDPRWise validate it using our free online policy checker. You can join GDPRWise so we can help you create a compliant privacy policy in no time.

If you want to have a crack at creating a privacy policy from scratch you want to make sure your privacy policy covers at a minimum the below items:

1. Clear statement of responsibilities

Clarifying responsibilities is generally a good thing when providing transparency. GDPR has outlined a few key responsibilities that you should clarify in your privacy policy: who is your key contact for GDPR; and for each processing activity who is the data controller, and who is the data processor.

SME organisations are generally not required to have a formal Data Privacy Officer (DPO) unless it is involved in the processing of personal data at a large scale. It is however advised for all SME organisations to have someone on point for privacy e.g. a GDPR Coordinator. By establishing a GDPR Coordinator you can give your privacy effort focus and make sure there is a knowledgeable person that can act as the single point of contact for any queries or challenges.

For each of the activities in which you process personal data e.g. booking customer appointments, invoicing & accounting, sending out of a newsletter etc. you should outline who is the data controller and who is the data processor. The data controller is the party that sets the purpose and means of the processing. The data processor is the party that processes the data in line with the instructions set by the data controller. For those processing activities you handle in-house you are likely to be both the data controller and data processor. In other processes you could hold either role. For more information and examples on the data controller vs data processor roles see our knowledge base item on the topic.

2. List the processes that use personal data

A core aspect of providing transparency is to outline the processing you undertake that involves personal data. You might not have reflected upon this aspect before, but once you do there are a few processes where you use personal data of your customers, staff or suppliers e.g. client intake, client correspondence, invoicing, staff remuneration, sending out newsletter etc. Make sure your privacy policy and the processes within cover your online / digital interactions e.g. quote request form as well as your in-store / office interactions e.g. in-store loyalty card.

For each of those processes GDPR requires you to provide transparency on the process’ business purpose, its GDPR legal basis, the personal data items used and how long you will retain the data. For more information on business purpose and DPR legal basis, see the dedicated knowledge base item on it Legal basis, what are those?

3. List the processes that share personal data

Your firm does not operate in a silo, it has suppliers and partners it collaborates with and by doing so, it shares data. You share data with your accountant, your HR benefit processor, your IT support partner, just to name a few. But equally as you use cloud software e.g. a CRM tool, or online reservation tool the personal data you record on those platforms is shared with the software vendor. All these interactions are perfectly normal and GDPR does not prohibit those, it just insists you inform parties, so they can take an informed decision as to whether or not they are willing to enter into business with your firm.

So make sure to list the processes that share personal data and whom you share data with e.g. data you share with your accountant, IT support partner etc. or through the use of cloud platforms e.g. Facebook, Mail-chimp, Stripe etc. If you share data outside the EU, you should outline how you ensure that adequate measures are in place to safeguard the security and privacy of the data. This can be a complex topic and it might not be too obvious if your data leaves the EU or not. For more information see our knowledge base in What to do if I’m not sure if the data resides in the EU?

4.Social Media

If your firm uses social media, make sure to warn users that social media platforms process their personal data and have their own privacy policy which differs from yours. Mention your firm and the platform are likely to be considered joint data controllers.

5.GDPR Data Rights

GDPR puts all of us in control of our personal data, which is one of the great benefits of the regulation. Whenever an organisation processes our personal data, GDPR gives us a set of rights we can call upon. Each of us can exercise those rights at any time.

From the perspective of the organisation using the personal data of individuals, you need to ensure you inform individuals about their rights and at the same time implement the appropriate processes to make sure they can swiftly exercise their rights.

So make sure to list the GDPR data rights your users have and how they can exercise those. Also state how users can contact you and if needed raise a complaint with the relevant authority. Do note that the regulator recommends you establish a dedicated communication channel for all privacy related matters. So avoid reusing info@mycompany.com and set up a dedicated privacy@mycompany.com mailbox.

Once you have a good privacy policy that covers the above items, make sure you reference it in all your communications to satisfy the GDPR requirement to proactively inform those involved:

• publish your privacy policy as a top-level link on your website, for example in the footer of your website. Make sure the link is visible from all pages. Do not hide your privacy policy in any terms & conditions document as GDPR requires it to be directly and prominently visible.
• reference your privacy policy in your email by adding an email footer
• reference your privacy policy in your marketing emails along with the ability to un-subscribe
• reference your privacy policy on any of the social media platforms you use in the About your firm section
• we advise you to have a dedicated privacy policy for your staff (and independent contractors) and attached it as an appendix to the contract of employment.

If this all sounds a bit too much, do know that GDPRWise has made it really fast and easy for you to get an appropriate privacy policy. GDPRWise has done the hard work for you by creating very specific filled-in dossiers tailored to your industry sector. We have done 80% of the work, you just have to validate and refine. Click here to create your Free GDPRWise account.

We have also created a number of training video’s which you might find useful. For example this video on the Essence of GDPR. The video is available in several languages.