Privacy notices are one of the twelve core components of GDPR compliance. However, privacy notices also address key policies from other GDPR core components, including Legitimate Basis for Data, Information You Hold, Explicit and Clear Consent, and Individual Rights.
According to the GDPR, Privacy notices must be readily available (e.g., a link on your website), easy to understand, and clearly state what data is collected and how it is used. At a minimum, your privacy notice should include the following:
- A description of what your organization does
- A description of what personal data is collected, why it is collected, how it will be used and how long it will be stored.
- Include all types of personal data and how it is obtained. The list is more extensive than the name, job and contact information that may be collected in a registration form. It also includes "Website Navigational Information" such as cookies, web beacons, IP addresses, etc.
- Explain how the data will be processed/utilized.
- Explain under what conditions, if any, data will be shared with third parties.
- Explain how long the information will be stored.
- If you collect "sensitive personal data" (e.g., race, religion, sexual orientation), you must disclose this and provide a legitimate reason for collecting such data
- A description of how your organization addresses the data privacy rights of data subjects (i.e., people that reside in EU). These include but are not limited to the following (note: ClearVantage has new functionality available that helps comply with each of the privacy rights below):
- Right of access. Provide instructions on how to request a copy of the information that your organization has about the data subject.
- Right of rectification. Provide instructions on how to correct data that your organization holds about the data subject that is inaccurate or incomplete.
- Right to be forgotten. Inform data subjects that under certain circumstances they can ask for the data that is held about them to be erased from your records.
- Right to restriction of processing. Provide instructions for granting or removing consent for specific forms of processing, such as email marketing and automated processing.
- Right of portability. Provide instructions to the data subject for requesting their data in a machine readable and commonly used format.
- In cases where a data subject makes a request that cannot be obliged, provide instructions for how to object.
- Contact information and instructions for questions about privacy
|