Articles 12, 13 and 14 of the GDPR outline the requirements for privacy policies. They essentially say that you need to inform data subjects that you have their information, and let them know how you are collecting it, where it is being stored and how long you intend to keep it (the GDPR states that information can only be kept for “as long as necessary”).
Other issues you need to explain are:
- Who is collecting the data (your organisation or a third party);
- The legal basis you are using for processing; and
- Whether the data will be shared with third parties.
Finally, you should explain how individuals can exercise their data subject rights. The most important rights to address are:
- The right of access: Individuals must be allowed to submit subject access requests, which require organisations to provide a copy of any personal data pertaining to them.
- The right to rectification: If the information an organisation holds is inaccurate or incomplete, individuals can request that it be updated.
- The right to erasure (also known as ‘the right to be forgotten’): In some circumstances, individuals can request that the organisation deletes their personal data.
- The right to restrict processing: As an alternative to erasing data, there are times when individuals might prefer to restrict processing (such as when they contest the personal data’s accuracy).
Individuals have eight rights in total, which you can read about in more detail on our blog.
The GDPR has strict requirements for how privacy policies should be worded and structured. They must be:
- Concise, transparent, intelligible and easily accessible. Organisations should present the information in as few words as possible, each policy should be presented separately and the whole section must be clearly differentiated from non-privacy-related information.
- Clear and written in plain language. The policy must definitively state what the organisation intends to do with the information (avoiding vague terms such as ‘may’, ‘some’ and ‘possibly’). It must also be written in a way that an average member of the intended audience will understand. Organisations should make special provisions if they expect to provide information to children or vulnerable people.
- In writing. Although non-written means are permitted (videos, voice alerts, cartoons and infographics will be helpful – particularly for children or vulnerable people), privacy policies must always be available to read in a single, written document.
- Available orally upon request. Organisations should have a recorded version of the policy (or someone available to read it aloud) if the need arises.
More advice on GDPR compliance
To find out more about complying with the Regulation, take a look at EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this book gives you a clear understanding of the GDPR, explaining:
- The terms and definitions used in the Regulation;
- The key compliance requirements; and
- How to comply with the GDPR.
This book is also available in French, German, Italian and Spanish.