FAQs on Privacy Policies
- identity and contacts of the data controller or data processor;
- the nature of personal data collected and held;
- the purpose and lawful basis for collection and processing of the data;
- description of technical and organisational measures taken to ensure the integrity and confidentiality of the data;
- data subject rights and how these rights may be exercised;
- details on sharing of data including any third parties with whom the data has been shared;
- details on international data transfers including the countries where the data is transferred to;
- the contemplated data retention period;
- your complaint handling mechanisms; and
- a statement on whether you collect personal data relating to children or other vulnerable groups
Q: Apart from the legal requirements are there some best practices that I can adapt?
A winning strategy for privacy policies is to make them very simple to read and understand. The less jargon and verbosity there is, the better. Try implementing some of the approaches suggested below:–
- use simple and clear language like the one adopted by BBC.
- update your privacy policies and maintain a history of changes made on your privacy statement as done by Microsoft.
Q: Can I copy and paste privacy policies from other websites or given templates?
You can achieve this by conducting an audit or data mapping exercise which helps you to develop an inventory of your organisation’s personal data. The data map reveals your data subject categories, the purposes and legal basis of processing the data and how data flows out of your organisation to other parties such as processors or to other countries.
Q: Where should I place my Privacy Policies?
If you do not have a website, you should place the policy in a place where it can be accessed by your data subjects before they give you their information. For example. if you are asking them to fill out account opening forms you should provide them with the policy and give them an opportunity to read it before they provide their information.
Q: What next after development of privacy policies?
Once your policies are ready for use, you should avail them to staff either through your company intranet or in other written form. In addition, train your staff members on the policies. Staff development is necessary for effective compliance.Disclaimer: The information on this blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no advocate-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional advocate, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date. While the blog is revised on a regular basis, it may not reflect the most current legal developments.