Successful privacy compliance programs hinge on the development and implementation of a wide range of policies. One such policy is the privacy policy. In this FAQ we consider some of the common questions that arise in the development and implementation of privacy policies.
Q: What is a Privacy Policy?
A Privacy Policy is a document that outlines an organisation’s data handling practices including how it collects, uses, shares, transfers, stores, retains or destroys personal data.
Q: Why should I have a Privacy Policy?
Having a privacy policy is a requirement under the law. The Data Protection Act 2019, provides that you must notify people before you collect any personal data or information from them. In addition, you must be transparent about how you will use the data after collection. Therefore, if you collect or use personal data relating to individuals such as customers, employees, consultants or suppliers (“data subjects”) you must notify them before you start doing so. In order to comply with this requirement, you must publish or avail a privacy policy to your data subjects.
Q: Are there any legal requirements on the contents of a Privacy Policy?
Section 29 of the Data Protection Act provides guidance on contents of a privacy policy. Additionally, Regulation 22 of the draft Data Protection (General) Regulations 2021 also offers some additional guidance.
In summary, the Privacy Policy should contain the following:-
- identity and contacts of the data controller or data processor;
- the nature of personal data collected and held;
- the purpose and lawful basis for collection and processing of the data;
- description of technical and organisational measures taken to ensure the integrity and confidentiality of the data;
- data subject rights and how these rights may be exercised;
- details on sharing of data including any third parties with whom the data has been shared;
- details on international data transfers including the countries where the data is transferred to;
- the contemplated data retention period;
- your complaint handling mechanisms; and
- a statement on whether you collect personal data relating to children or other vulnerable groups
Q: Apart from the legal requirements are there some best practices that I can adapt?
A winning strategy for privacy policies is to make them very simple to read and understand. The less jargon and verbosity there is, the better. Try implementing some of the approaches suggested below:–
- use the multilayer privacy policy i.e. have the privacy information availed to users in small and easy to digest chunks. This way, they will not be overwhelmed by the prospect of reading the whole policy at once. A good example of this is the approach taken by NatGeo or Walt Disney.
- use simple and clear language like the one adopted by BBC.
- consider using explainer videos such as the one used by Google in its privacy policy.
- update your privacy policies and maintain a history of changes made on your privacy statement as done by Microsoft.
Q: Can I copy and paste privacy policies from other websites or given templates?
While it is tempting to lift a privacy policy from a website offering similar products or services or to use custom templates, this practice can expose you to legal liability. If your privacy policy and privacy practices are misaligned, a data subject can use this to discredit your privacy program. For example, they can rely on statements in your privacy policy and point to gaps in your practices to show that you are neither transparent nor fair in data collection and processing. Therefore you should always aim to ensure that your privacy policy is factually correct.
Q: How can I ensure that my Privacy Policy is factually correct?
You can achieve this by conducting an audit or data mapping exercise which helps you to develop an inventory of your organisation’s personal data. The data map reveals your data subject categories, the purposes and legal basis of processing the data and how data flows out of your organisation to other parties such as processors or to other countries.
Q: Where should I place my Privacy Policies?
The law requires that a privacy policy be accessible to the data subject prior to collection of his or her data. Your goal should be to ensure that your users are encouraged to read the privacy policy at every available opportunity.
If you have a website you should consider having a link to your privacy policy on your website. You should also include the policy in every webform where users submit their personal data. For example, you can include it in your contact forms, account opening or signup forms and shopping cart checkout forms.
If you do not have a website, you should place the policy in a place where it can be accessed by your data subjects before they give you their information. For example. if you are asking them to fill out account opening forms you should provide them with the policy and give them an opportunity to read it before they provide their information.
Q: Can I have more than one Privacy Policy?
You can have different privacy policies tailored to meet the needs of your various data subjects. For example, you can have a privacy policy relating to your customers and suppliers and a separate one relating to your employees or board of directors. You should also have an internal privacy policy to address data privacy management from an organisation-wide perspective. This is a holistic policy shared with all employees which spells out your organisations privacy commitment and obligations to data subjects.
Q: What next after development of privacy policies?
Once your policies are ready for use, you should avail them to staff either through your company intranet or in other written form. In addition, train your staff members on the policies. Staff development is necessary for effective compliance.