‘Transparency’ and ‘accountability’ are principles that run through the core of the General Data Protection Regulation (GDPR) and one of the key requirements is the need for organisations to provide people with extensive information about how their personal data is being processed.
The policy must be concise, easy to understand and presented in an accessible form. However, an ambiguous policy hidden away on your website, definitely won’t suffice.
- the identity of the organisation which collects and uses the personal data (e.g. its full name and contact information);
- what personal data is collected (e.g. name, email address, telephone number);
- how personal data is collected (e.g. through a contact form on the organisation’s website or via cookies);
- why personal data is collected and the lawful basis which is being relied on to process the personal data (the lawful bases include consent, legitimate interest and necessary for the performance of a contract);
- when personal data may be disclosed to third parties and the purpose of such disclosures;
- when personal data is transferred outside the European Economic Area and details of the safeguards used to legitimise such a transfer;
- details of the additional rights which individuals have in respect of their personal data (e.g. to request access to, deletion of or correction of, their personal data or to request their personal data be transferred to another person).
All of these factors are key considerations when attempting to draft GDPR-compliant privacy policies and to prevent GDPR-related exposure and liability in the future.