Privacy Policy
What is a Privacy Policy?
A privacy policy is essential to your business if your company runs a website or a mobile app as privacy is regarded as a fundamental right by most, if not all countries. It is a legal notice on a website providing information about how website operators will collect and utilize the personal information they have collected from the website users. In general, personal information includes names, IP addresses, date of birth, contact details, and financial information of a certain website user.
Why is it important?
Having a straightforward and transparent privacy policy can foster customer relationships with your business. Website users, who are your potential customers, can be assured and will be more willing to use your website if they feel safe to place their personal information in your company’s hands. On the other hand, you may lose trust and confidence of website users if their personal information is collected and utilized without their knowledge or consent, hence harming the profile of your business.
Moreover, having a privacy policy may ensure compliance to law as most countries require a privacy policy for websites under their data privacy laws. For example, both the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) requires data collectors to have a visible and accessible Privacy Policy for their users. In this article, we will discuss the GDPR in more details since it has a greater reach worldwide than the CCPA.
As privacy is acknowledged as a fundamental right by practically every society, having a well-written policy can provide a stronger legal footing for your business if you are, unfortunately, be challenged in certain legal settings.
GDPR
What is GDPR?
GDPR was implemented by the European Union (EU) in 2018. GDPR is an individual-centric regulation, where the law protects citizens within the EU by guaranteeing them certain rights relating to their personal data.
Which organizations must comply with GDPR?
The purpose of GDPR is to protect the data of EU citizens and residents. Article 3(2) of the GDPR states that organisations which
- control and process a large amount of data of citizens within the European Economic Areas (EEA), and;
- offer goods and services to citizens within the EEA are liable under the GDPR.
This means that the GDPR applies to all EU based entities (businesses and companies) even if the data are being used or stored outside of the EU. Despite it being an EU regulation, organisations all around the world have scrambled to comply with it. This is because the GDPR is applicable not only within the EU but also applies to entities offering goods and services and collect and process the data of EU customers.
What types of privacy data does GDPR protect?
Personally, identifiable information refers to data which can be traced back to a particular person, such as their name, social security number, or their email. Under the GDPR, aside from the above “direct” information, indirect information is also protected. This includes their IP address, any cultural or political identifiers and opinions, and even what time they come into work. Generally, as long as a person can be either directly or indirectly identified with the data given, it is protected under the GDPR.
Do note that the GDPR only applies to natural persons and not legal persons. This means that you may collect data of a corporation in the European Economic Area without compliance with the GDPR. However, you may not do the same for a person in the European Economic Area.
What’s the best approach to achieving full GDPR compliance?
Generally, it is advisable to start with an internal audit of your data. Analyse what data you collect, how much of it is collected, and what the data is used for. Doing so will provide you with a framework of what you can continue collecting, and what to cease collection of.
Following that, figuring out who should be responsible for what data is a sensible step. Doing so will allow you to divide work evenly throughout the enterprise and understand if you are a processor or controller if you need to outsource your data to a responsible and GDPR-compliant data processor. This is the best stage to appoint your data protection officer.
The heavy lifting will then be technical, focusing on finding the best way to pseudonymise and organise data. Even if it is technical, it is important for everyone to maintain communication and stay on the same page. Doing so will allow for the best results – full compliance with the GDPR in terms of data security, and happy customers.
Of course, when doing so, you would also need to update your terms and conditions as well as privacy policy to include clauses regarding the GDPR for European Economic Area citizens. If you collect data online, you would also need to prepare a separate checklist where data subjects opt-in or opt-out of having their information collected.
What changes do I need to make to my website / app?
At a minimum, you will need to make changes to your Cookie Policy and your Privacy Policy:
What do I need to do to my Cookie Policy?
In the past, most websites made it mandatory for consumers to accept all terms and conditions and privacy policies before being allowed to use their service. These terms are obviously very one-sided with little privacy protections for the consumers.
Under GDPR, you can no longer pre-checked boxes to accept your terms and privacy policy for the customer. You will need to give the customer choices to pick and choose the policy and cookies they would like to accept. This adds in a lot of complications for international websites.
For an example of a new cookie policy under GDPR:
https://docpro.com/doc1512/cookie-policy-for-website-gdpr-and-ccpa-compliant8.
What should I Include in the Privacy Policy?
As an integral part of your business to safeguard your website visitors’ personal information, a privacy policy should be drafted in a clear way where website visitors can easily read and understand. Here are some key elements that your privacy policy should contain:
- An introductory paragraph introducing your company and the purpose of the policy;
- Details about the exact information you will be collecting (e.g. website users’ name, IP address, date of birth, etc);
- Purpose of collecting personal information;
- Details about the method of collection and storage of information;
- Brief description of the use of cookies; and
- Details about the affiliated websites involved.
If you are running an e-commerce website that contains purchasing functions and website users may insert the details of their credit card, you should also explain how such payment information will be utilized and stored.
Essentially, a privacy policy should be clear and easily accessed by website users where ambiguous clauses should be avoided in order to keep yourself away from trouble.
We understand it might be difficult to draft one from scratch – take a look at our templates below before you get started!
- Privacy Policy (with GDPR): https://docpro.com/doc107/privacy-policy-with-gdpr-website-mobile-app
- Privacy Policy/ Notice – Use personal data: https://docpro.com/doc120/privacy-policy-notice-use-of-personal-data-financial-institution-short-form