<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

5 Tips on How to Write a GDPR Ready Privacy Policy

Posted: 20 June 2018

5 Tips GDPR Ready Privacy Policy Data Protection

In the scramble of the final days leading up to the 25th of May 2018, Google crawl bots would have noticed universal updates taking place across the internet. Privacy policies for an unquantifiable number of organisations and companies were being adapted to fit the GDPR.

Prior to this event you may have been forgiven for not knowing what a privacy policy is; today it has become an integral part of any knowledgeable GDPR conversation worth joining. So, for fear of being behind the times, let's explore what a privacy policy is and how to make sure yours is ready for the doomsday that is the GDPR.

What is a Privacy Policy?

A privacy policy is a statement, generally available on a public website, which details how your organisation complies with the principles of the GDPR and how it processes personal data.

While not expressly required under the GDPR, articles 12, 13 and 14 require that data controllers are transparent and clear with data subjects, regarding their intended processing activities. Rather than bulking out forms and other data collection points, many are choosing to dust off their old privacy policy as a one-stop shop for all things data protection.

[You may also like "Exercising Your Legitimate Interests with the GDPR"]

How to Write a Privacy Policy

To write an effective privacy policy consider the following tips.

1) Describe who is collecting the personal data and what is being collected - List any names which your organisation is listed under, their general business activity descriptions. Include a summary of the types of personal data that you collect and process, for example any website interaction data such as cookies or any form based personal data such as newsletter sign-ups.

2) Include your legal basis for processing, whether that be through seeking consent or legitimate interests - Make sure you can justify your processing, particularly in the case of legitimate interests. When using this legal basis for processing, you will need to have evaluated the impact processing has on data subjects.

3) List any third-parties or external processors who may be supplied any of the collected personal data, including the processing activity to be carried out - Remember to include even the most benign examples such as Google Analytics or your marketing automation platform, in the case of website interaction data.

4) Detail how long you intend to retain any collected and processed personal data - Indefinite is not an acceptable value and needless to say, the retention periods specified in your privacy policy must reflect their reality.

5) Provide instruction on how data subjects are able to exercise their rights and the channels to use - Examples might include a form for requesting a subject access request or a phone number to use in the case of objecting to processing. Also include a general contact for the person responsible for data protection in your organisation.

On Public Display

While a privacy policy is not expressly required by the GDPR, it has become somewhat a tool for the public to judge an organisation's data protection credentials on. As the world and data subjects become more intune with data protection and their privacy rights, privacy policies are likely to become a critical point upon which choices will be made between competitors.

[You may also like "GDPR & Personal Data in the Public Domain"]

Getting your privacy policy right now will not just help you with the GDPR but will become a promotional tool for your organisations good practices.

GDPR Privacy Policy and Data Protection for Life after May 2018

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by: Chris Payne
Senior Technical Consultant, Infinigate UK

 

Share via:

    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts