There are likely to be some significant impacts on your existing privacy policy as a result of GDPR. It will be influenced by several rights and principles in the new regulations

GDPR compliant Privacy Policies

GDPR compliant Privacy Policies

Privacy notices on websites are nothing new.  In 2010 Facebook managed a level of notoriety when its Privacy policy was found to be longer than the US constitution.  This is exactly the type of thing that GDPR sets out to tackle so I thought it might be worth looking at what it means to your privacy policy.

There are likely to be some significant impacts on your existing privacy policy as a result of GDPR

There are likely to be some significant impacts on your existing privacy policy as a result of GDPR.  It will be influenced by several rights and principles in the new regulations.

There is a right to be informed with transparent information.  In fact, to quote Article 12, you should be informed “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.  So out with the legalese – and I think there are few of us that will mourn that.

Article 13 goes on to be quite specific about information that should be provided.  The principles of fairness and transparency boils down to:

  • What data are you collecting?
  • How is it collected?
  • Being clear who is collecting it
  • Will data be shared with any other organisation? Who?
  • Why are you collecting the data?
  • How will you use it?

 

GDPR has a few different lawful reasons why you can hold personal data.  You should explain why you are holding the data, in the context of the lawful basis for holding it.  The lawful reason for holding it may broadly be consent, a contract, a legal obligation, vital interests, public task and legitimate interest.  Connected to this will be the retention policy and how long information will be kept.

You should explain why you are holding the data, in the context of the lawful basis for holding it

It is a natural extension of being transparent about who you are to explain how data subjects can contact you for further information, subject access requests etc.

There are always going to be nuances depending upon the nature of the business conducted.  The UK Information Commissioner’s Office provides some very helpful and detailed information.  But I hope this short summary helps you keep your privacy policy shorter than the US Constitution!