Writing a privacy policy for the GDPR
Last week, we released a quick guide to the European Union’s General Data Protection Regulation (or GDPR) and in it, we mentioned the need for a clear and concise privacy policy. So today we bring you a simple guide to assist with updating your privacy policy so that it is GDPR compliant.
Disclaimer: This information is based on our own research and understanding of the topic but please understand that this is general advice only. We are not lawyers and it is important to get your own legal advice in regards to these matters.
For your privacy policy to be compliant with the GDPR, it must be:
- Concise, transparent, intelligible and easily accessible.
Ensure there is a link to the policy at the footer of your site, and mentioned in any other relevant places, such as contact forms. - Written using clear and plain language, particularly if addressed to a child.
Avoid using any complicated legal language, the policy can be written in an informal fashion, so long as it outlines all the points below. - Free of charge.
Fairly straightforward, the policy cant be hidden behind any paywalls, and physical copies should not have a charge attached to them.
A big part of the GDPR is clearly conveying information about the rights of users and what their information will be used for within your company’s privacy policy. You should make absolute sure that people coming to your site know exactly what is happening with their information, without the need for further explanation.
The policy should also address the following points:
- What, if any information are you collecting?
This includes any content people give in contact forms, along with usernames, IP and email addresses. - For what reasons are you collecting information?
If you keep email addresses from contact forms for later contacting purposes for example. - Will the information be shared with any third parties?
Any third party tracking, like Google Analytics must also be included. - How will the information be used?
If you share any information with third parties, how will they be using it? - How long will the information be held for?
By both you and any third parties. - What rights does the user have?
These are all covered in articles 12 through to 23 of the GDPR. Whilst we cover some of the rights users have in our quick guide, you can find a more detailed summary of these rights within the OAIC’s guide under the “Expanded rights for individuals” section. - In what ways can a user raise a complaint?
Make sure that users have an outlet to contact you if they wish to exercise any of the rights afforded to them by the GDPR.
Hopefully this guide gives you a good starting point to work on your privacy policy, for more detailed information, articles 12, 13 and 14 of the GDPR outline what is required.
If you aren’t sure if the GDPR applies to you, consider looking over our previous guide.