The Data Protection Act (DPA) 2018 is the UK's updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom's exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]
What to Include in a GDPR Privacy Policy
You know you need a Privacy Policy and you think you also need to be compliant with GDPR. So what are the requirements of a GDPR Privacy Policy?
The exact content of your websites Privacy Policy will be determined by the type of business you are running. However all Privacy Policies do require these things in order to be GDPR compliant: an outline of what personal data your company collects, why you collect that data, who the data may be shared with, where it is stored, and how it is kept protected. It must also ensure that users are made aware of all of their rights when it comes to their personal data.
On this page
What is a Privacy Policy?
A Privacy policy is a legal document. It is an agreement between you and your user hat outlines what data you collect from them, and how and why you collect their personal data. It also explains where and how the data is stored and what security measures you have in place to protect the data.
There are international privacy laws that your privacy policy should comply with. For further information read on international laws, read our article: International privacy laws
What to Include in a GDPR compliant Privacy Policy
To understand what is required in a GDPR compliant privacy policy you need to know what GDPR is. GDPR stands for the General Data Protection regulation which the EU put in place to protect the rights of its residents and citizens and their personal data. It is a law For an in depth look into the GDPR read our article GDPR Compliance and Checklist.
Here is a list of the sections and clauses that your GDPR Privacy Policy need to include:
- Table of Contents
- Data Collection
- Personally Identifying Information'
- Non-Personally Identifying Information
- Cookie Policy
- Data Protection Rights (Under GDPR)
- Data Protection Fee
- Policy Changes
- Contact Information
- How to Contact Data Controller
- How to Contact Data Protection Officer
Table of Contents
Data Collection
A clear explanation of what kind of data will be collected from the user is a must in order to be GDPR compliant. It is also required that you include how the data is collected, where the data is stored and processed and how long the data is retained. Another aspect of data collection to include is the security measures you have implemented to protect your users personal data.
Personally Identifying Information
Your Privacy Policy needs to explain what Personally Identifying Information (PII) is. Let your users know what types of PII your company/website collects (example: Full name, Street Address, birthdate). It is also required for you to explain:
- how the information collected is used
- whether the information may be disclosed to third parties
- and if so who, how the user can opt in or opt out of personal information collection
- how they can update, restrict or delete their personal information
- how they can request erasure of their personal information.
Non Personally Identifying Information
Your company/website may also collect Non Personally Identifying Information like education status, geo location or IP address. A Privacy Policy needs to contain information about what type of Non-Personally Identifying Information you collect and how you may use this information also.
Cookies
Your Privacy Policy should have a section explaining Cookies. What is a cookie? and how does it enables certain functions on your website? What types of cookies does your website use and what are they used for? and how can your users opt out of them if they wish?
Your Data Protection Rights
In alignment with the GDPR, see our article on it here, you must outline the data protection rights of your users/customers.
The rights are as follows:
- to be informed: Your users have the right to be know about how you collect and use their personal data. This is a major requirement under the GDPR to promote transparency. Users must be provided information of Privacy at the time their personal data is collected.
- of access: Your users have the right to access their data at any time, they can request this either verbally or through writing to you. You have a one month time period in which you must respond to the request.
- rectification: Users of your website have the right to have any inaccuracies in their personal data changed. This can be done through a verbal or written request and you have one calendar month in which to respond.
- to be forgotten: Under the GDPR users have the right to have their personal data erased. This right can also be known as the right to erasure. Once again users can make this request either verbally or through writing and you have a month is which to respond to the request.
- restrict processing: users have the right to request that you do not process their personal data. The can make this request either verbally or in writing and you need to respond within one calendar month. However the right to have personal data restricted only applies in certain circumstances.
- object to processing: Your users have the right to object to their personal data being used for the purpose of direct marketing. They can also request that you stop processing their personal data and there are some circumstances in which this applies. These circumstances are if the processing is for :" a task carried out in the public interest; the exercise is of official authority vested in you; or your legitimate interests (or those of a third party)."
- data portability: this right allows your users to have access to their personal data so they can use it for their own purposes. They can move this data from one IT environment to another safely and securely.
- to object to automated processing: Your users are able to object to the processing of their personal data that is processed without human involvement by automated means.
Data Processing Fee
You must let your users/customers know if there may be a processing fee for any of their requests involving their data. In most cases a fee won't apply but you must inform them of the chance there may be one.
Contact details
You must put the company contact details in your privacy policy statement in order for your users to be able to contact you easily.
How to contact the data controller
Under the GDPR you must have contact details for the data controller officer (if you have one) made available in your Privacy Policy.
How to Contact data protection officer
Contact detail for the data protection officer (if you have one) are to be made available in your privacy policy under the GDPR.
Conclusion
To ensure your Privacy Policy complies with the GDPR your users need to be informed about their rights in relation to the personal data you are collecting form them. The Privacy Policy must include information on what personal data you collect, how you use it, how you collect it, why you collect it, where it is stored and how it's kept secure.
Disclaimer
The information in this article is for informational purposes only and should not be construed as legal advice on any matter and does not create a lawyer-client relationship