How to create Privacy policies/notices

Since the GDPR came into force on the 25th May 2018 and the Data Protection Act 2018 came into force on the 23rd May 2018, businesses need to communicate with their users on how they are going to protect and interact with their personal information. Once aspect that many businesses seem to be missing is their privacy policies and notices, these explain how the data is collected, how the information will be used and for what reasons.

GDPR and privacy

Under the GDPR, a privacy notice must be:

  • Concise, transparent, intelligible and easily accessible
  • Written in clear easy to understand language, particularly if it addresses children
  • Provided free of charge

When working on your privacy policies and notices, you should think about what information you need as well as how it will be processed and where.  The following questions should be considered when you start working on building out a privacy notice:

  • What information do you need to collect to fulfil the service/request
  • Who is collecting the information?
  • How will the information be collected?
  • Why is the information being collect?
  • Where will the information be stored?
  • Who will the information be shared with?
  • How will the information be used?
  • Are you going to be the data controller or data processor?
  • Who will be the point of contact for data privacy questions?
  • Is the information going to be passed to third-party systems?

Although the above questions are a starting point, it is important to remember that the information you collect changes and as part of the change process you should also ensure that the privacy policy reflects these changes in data collection.

Where should a privacy policy go?

A privacy policy should be in a location that is easy to find and allows the user or data subject to easily identify your processes regarding their information. One such place is your website. Having a link at the footer of your website allows people to view your statement.

Where should a privacy notice go?

A privacy notice should go wherever you collect information, for example contact forms, it should explain why you are collecting the information and the reasons why, as shown in this Microsoft signup form.

Microsoft privacy notice

As you can see it clearly states that the information for the date of birth collection is used for the provision of age-related services.

Previous Post
What is a virtual CISO (vCISO)? Should I hire one?
Next Post
Why you should have a penetration test

Related Posts

No results found.