Privacy policies have been in place for some time, but the European Union’s recent General Data Protection Regulation (GDPR) ruling has changed privacy regulations. These new regulations go into effect later this month.
Personal information includes name, address, date of birth, contact information, marital status, financial records, medical history, personal identifiers such as SSN, passport or state ID information, among other things.
How has the GDPR changed privacy policies?
There are eight rights that are guaranteed to individuals under the GDPR:
The Right to Be Informed: Organizations must be transparent in how they’re using personal information.
The Right of Access: Individuals have the right to know what information is collected about them and how it’s processed.
The Right of Rectification: Individuals can have data about them corrected.
The Right to Erasure: Individuals can request to have their data deleted or removed.
The Right to Restrict Processing: Individuals can restrict or block the processing of their data.
The Right to Data Portability: Individuals can retain and reuse their own personal data.
The Right to Object: Individuals can object to having their personal data used, including marketing, research and to perform a task in the public interest.
The Rights of Automated Decision Making and Profiling: Protects individuals from a potentially damaging decision that is made without human intervention.
Additionally, the GDPR defines two roles an organization may play in using customer information, the Controller and the Processor. If the organization determines the purpose (the why) or means (the how) of data processing, then they are a Controller, if not, they are a Processor. Controllers are responsible for choosing to work with Processors that comply with the GDPR or they risk penalty.
Your name or the name of your business, address and contact information.
What information you’re collecting and how you’re collecting it.
How you use the information you’re collecting.
Whether the information you’re collecting could include personally identifying information.
How you’re protecting that information and keeping it safe.
Whether you’re sharing the information with a third-party, including what information you’re sharing.
Whether it’s optional to share their information, how to opt out and what that means.
List the state, federal and international privacy laws and initiatives your policy complies with.
Controller’s identity and contact information.
Details of the data protection officer, if required.
The purpose and legal basis for processing personal information.
The interest for processing personal information.
The recipients or types of recipients of the personal information, if shared.
The consequences of the individual not providing personal information, if there is a statutory or contractual agreement that requires it.
How the controller collects the personal information, if it’s not being provided directly by the individual.
The rights of the individual.
How long the personal information will be retained or how the retention period is calculated.
Whether any automated decision making, such as profiling, will be made and what information will be used in that decision.
Whether personal information is processed outside the European Economic Area (EEA) and how the personal data will be kept safe.
Best Practices for Privacy Policies
Make it freely available to your customers.
Include a privacy page on your website, so your customers can easily access it.