Is Your Privacy Policy GDPR Ready?

“We are updating our privacy policy GDPR”.

Each and every online citizen’s inbox has been inundated with this subject line of emails for many months now. This is the GDPR effect! GDPR or the General Data Protection Regulation applies to all the organisations that operate in the European Union (EU) or deal with the data of EU residents. There are a lot of organisations and a lot of updated privacy policies.

What Does GDPR Say?
The requirements related to privacy policy are laid out in the GDPR document in Articles 12, 13 and 14. These ask the organisations to draft a privacy policy GDPR that is concise, easy to access, and transparent. It should also be written in clear and simple language and should be available to the users for free. It is stricter than the requirement laid down in the Data Protection Act 1998 and hence offers more clarity to the data subjects.
This is the reason why organisations are updating their privacy policies and their consumers, subscribers, and users are receiving emails announcing these updates.

What Should the Privacy Policy Tell the Data Subject?
The privacy policy of an organisation that must comply with the GDPR should answer the following questions of the data subjects.

Question 1: Who is collecting the data of the data subject?
The organisation should clearly mention the name of the company, subsidiary, or any other entity that is collecting the data.

Question 2: What data is collected and for how long will it be stored?
There should be clear and concise information about the data of the individual that the organisation will be storing or processing. Also, the organisation needs to specify the time period for which they intend to store and/or process the data.

Question 3: What is the legal justification for the data collection?
Companies must inform their data subjects about the specific reasons for which their data is being collected. This will help the users understand that their data is being used for a specific purpose as part of their service delivery.

Question 4: Will the data be shared with other entities?
This is very important. The privacy policy should clearly state whether the data will be shared with a third party and the reason or necessity for such sharing. It keeps the data subject informed about the organisations that have their data and gives them control over who gets to have it.

Question 5: What rights does the user have?
The privacy policy GDPR should be clear and transparent about the rights of the data subjects with respect to the data they are sharing. It should mention whether they can withdraw consent, disagree to a particular clause, request for deletion of certain particulars, and so on.

Under GDPR, organisations have to be extra careful about what they are putting in a privacy policy. It should be understood that levying fines under GDPR is a subjective matter. Authorities will consider on a case-by-case basis how much fine must be levied on an organisation. A big part of their decision-making process will be the various steps that the organization took to comply with the GDPR. A well-crafted privacy policy will definitely come to the organisation’s rescue in such a scenario.

Leave a Reply

Your email address will not be published. Required fields are marked *