Privacy Policies Built for GDPR Compliance
Updating Your Privacy Policy for GPDR Compliance
Privacy policies are critical to GDPR compliance efforts, as this statement or notice explains how an organization handles personal data. We know that in order to comply with GDPR, a privacy policy should be concise and written in clear, plain language. However, in the weeks since GDPR became enforceable, many privacy policies are not meeting these requirements. This may be due to organizations rushing to create what they believe to be GDPR-compliant privacy policies but has resulted in quite the opposite. We’re seeing privacy policies that have a higher reading level, longer word count, and longer reading time, making them much more difficult to understand than before GDPR when into effect. So, what specific elements should a GDPR-compliant privacy policy include to avoid these pitfalls?
What Should GDPR-Compliant Privacy Policy Include?
According to Article 13 under Section 2 of GDPR, “Information and Access to Personal Data,” states the required information that should be provided when personal data is collected from a data subject. Following Article 13’s guidance and others, we’ve compiled a checklist that will give your organization over 20 items to consider when creating or updating your privacy policy in order to help guide you toward a GDPR-compliant privacy policy.
To ensure fair and transparent processing, the law states that privacy policies must demonstrate the following:
- Identify the data controller
- Identify the data protection officer
- Define the purposes of processing
- Define the legal basis for processing
- When “legitimate interests” are your legal basis for processing, describe the legitimate interests for processing
- Describe the recipients or categories of recipients of personal data
- If applicable, identify any intent of international transfers of personal data
- If applicable, identify safeguards for international transfers of personal data
- Define the data retention period
- Describe data subjects’ right of access to personal data