Is Your Privacy Policy GDPR Ready?

“We are updating our privacy policy gdpr”.

Each and every online citizen’s inbox has been inundated with this subject line of emails for many months now. This is the GDPR effect!

GDPR  applies to all the organizations that regulate in the European Union (EU) or deal with the data of EU residents. There are a lot of organizations and a lot of updated privacy policies.

What Does GDPR Say?

The needs related to privacy policy are laid out in the GDPR document in the Articles 12, 13 and 14. These ask the organizations to draft a privacy policy that is concise so easy to use and transparent. It should also be written in clear and simple language and should be available to the users for free. It is stricter than the requirement laid down in the DPA 1998 and hence offers more clarity to data subjects.

Main reasons why organizations are updating their privacy policies and their consumers, subscribers, and users receiving emails announcing these updates.

What Should the Privacy Policy Tell the Data Subject?

The privacy policy of an organization that must comply with the GDPR should answer the following questions of the subjects.

Question 1: Who is collecting the data of the data subject?

The organization should clearly mention the name of the company, subsidiary, or any other entity that is collecting the data.

Question 2: What data is collected and for how long will it be stored?

There should be clear and concise information about the data of the individual that the organization will be storing or processing. Store and/or process the data which they intend needs to specify the time period in the organization

Question 3: What is the legal justification for the data collection?

Companies must inform their data subjects about the specific reasons for which their data is being collected. Helps the users understand that their data is being used for the specific purpose as part of their service delivery.

Question 4: Will the data be shared with other entities?

This is very important. In a scenario of sharing data clearly, state that privacy policy will be shared with a third party so reason or necessity for such sharing. It keeps the data subject tell about the organizations that have their data and gives them control over who gets to have it.

Question 5: What rights does the user have?

With respect to data sharing, the privacy policy should be clear and transparent.  Whether they can withdraw consent or disagree to a particular clause so the request for deletion of certain particulars should mention.

Under GDPR

Organizations have to be extra careful about what they are putting in a privacy policy. It should be understood that levying fines under GDPR is a subjective matter. Authorities will consider on a case-by-case basis how much fine must be levied on an organization. A big part of their decision-making process will be the various steps that the organization took to comply with the GDPR. A well-crafted privacy policy will definitely come to the organization’s rescue in such a scenario.