Since the GDPR came into force on the 25th May 2018 and the Data Protection Act 2018 came into force on the 23rd May 2018, businesses need to communicate with their users on how they are going to protect and interact with their personal information. Once aspect that many businesses seem to be missing is their privacy policies and notices, these explain how the data is collected, how the information will be used and for what reasons.
GDPR and privacy
Under the GDPR, a privacy notice must be:
- Concise, transparent, intelligible and easily accessible
- Written in clear easy to understand language, particularly if it addresses children
- Provided free of charge
When working on your privacy policies and notices, you should think about what information you need as well as how it will be processed and where. The following questions should be considered when you start working on building out a privacy notice:
- What information do you need to collect to fulfil the service/request
- Who is collecting the information?
- How will the information be collected?
- Why is the information being collect?
- Where will the information be stored?
- Who will the information be shared with?
- How will the information be used?
- Are you going to be the data controller or data processor?
- Who will be the point of contact for data privacy questions?
- Is the information going to be passed to third-party systems?
Where should a privacy notice go?
A privacy notice should go wherever you collect information, for example contact forms, it should explain why you are collecting the information and the reasons why, as shown in this Microsoft signup form.
As you can see it clearly states that the information for the date of birth collection is used for the provision of age-related services.