In the scramble of the final days leading up to the 25th of May 2018, Google crawl bots would have noticed universal updates taking place across the internet. Privacy policies for an unquantifiable number of organisations and companies were being adapted to fit the GDPR.
[You may also like "Exercising Your Legitimate Interests with the GDPR"]
1) Describe who is collecting the personal data and what is being collected - List any names which your organisation is listed under, their general business activity descriptions. Include a summary of the types of personal data that you collect and process, for example any website interaction data such as cookies or any form based personal data such as newsletter sign-ups.
2) Include your legal basis for processing, whether that be through seeking consent or legitimate interests - Make sure you can justify your processing, particularly in the case of legitimate interests. When using this legal basis for processing, you will need to have evaluated the impact processing has on data subjects.
3) List any third-parties or external processors who may be supplied any of the collected personal data, including the processing activity to be carried out - Remember to include even the most benign examples such as Google Analytics or your marketing automation platform, in the case of website interaction data.
5) Provide instruction on how data subjects are able to exercise their rights and the channels to use - Examples might include a form for requesting a subject access request or a phone number to use in the case of objecting to processing. Also include a general contact for the person responsible for data protection in your organisation.
On Public Display
[You may also like "GDPR & Personal Data in the Public Domain"]