What should you include in your Privacy Policy under GDPR?

Privacy PolicyWith all the different advice around it is difficult to know what to put into your privacy policy, this article aims to give you some clear guidance on what is important.

A privacy policy is the first step in demonstrating your compliance with the new GDPR data protection laws.  The privacy policy also known as a privacy statement or a privacy notice is intended let people know what you do with their data.   Many privacy policies are on the company website and that is a great place to have them as anyone that deals with you can see that.  However they can be sent via email or in hard copy format.

Sometimes you will need only one privacy policy if you don’t deal with a lot of personal data.  In some cases you may need multiple privacy policies to have available on different occasions.  The important thing to remember is that the policy must be available at the point of data collection.

Another stipulation is that you must not have your privacy policy bundled up with your terms and conditions on your website, they must be kept seperate.

Writing the privacy policy

So what should you include in the privacy policy? There are a number of areas you must cover in your policy and these include:

  1. Details of the data controller (the name of the company who makes decisions about what happens to the data)Privacy Policy, privacy statement, privacy notice
  2. Representative in the EU, this only applies if you are based outside of Europe
  3. The contact details of the Data Protection Officer. Not all organisations need a data protection officer but it is a good idea to appoint someone who can deal with any enquiries about data processing
  4. The purpose for which they are collecting data. This could be for marketing purposes, processing order or recruitment.
  5. The types of data you are processing (clearly stating which is person/sensitive/criminal)
  6. The types of data subject
  7. Where you got their data from (if it wasn’t directly from the data subject)
  8. Details of any recipients of personal data
  9. Details of any third country transfers
  10. How long personal data is retained, this may vary depending on the type of data and any statutory requirements
  11. Details of technical and organisational security measures in place

If you still want a bit of help then get in touch, we are happy to help.