We have all heard about data breaches and some of the big corporations such as British Airways, easyJet and Yahoo, to name but a few, who have incurred fines for breaching data privacy laws. But what does it mean when we learn that our “privacy” has been compromised and why must all companies have a Privacy Policy? As a consumer or customer, it can be a frightening experience to learn that our personal data has been compromised as we worry if we will become victim to identity theft, fraud or other criminal acts.
Why do businesses need a Privacy Policy?
A privacy policy is a legal document that provides all the information to end users/customers/clients on how you hold and process their data, and how long you retain it for. It documents the legal basis on why you are holding personal data and what your rights are in the event of a breach or if something goes wrong.
It is essential that the correct information is contained within the policy and notice, so you may wish to consider asking a GDPR expert to draft a document that works for your business. GDPR is the General Data Protection Regulation and is an update of the old Data Protection Act, which all companies were also required to comply with.
What should be in a Privacy Policy?
- The name and contact details of your company.
- The name and contact details of your representative.
- The contact details of your Data Protection Office (if you are required to have one).
- The reason you are processing data – be clear why you are using people’s personal data. This can be for a variety of reasons, such as to process orders, provide services, staff administration or marketing. (If you are using data for marketing purposes, you must obtain “consent” to hold such data – see below).
- The legitimate reason for processing the data, whether by your company or a third party. When you rely on legitimate interest, you need to comply with Article 6(1)(f) of the UK GDPR. For the majority of organisations, the reason for holding data will be covered under legitimate interest, as you need the data to be able to fulfil the contract/services you have entered into with an individual or another company.
- Details of any transfers of personal data that you may make to any third parties, countries or international organisations. For example, if you are sharing/transferring that data to a third party – do you know what their provisions are for holding data?
- How long do you intend to hold the personal data for? It is no longer enough to say that you would hold data indefinitely. For example, professional services firms such as law firms, are required to keep certain data for no longer than 6 years. If you do not have a specific data retention process/policy, then you must explain the Privacy Policy and explain your rationale as to why you are keeping their information and for how long.
- Explain the legal rights that are available to individuals relevant to how you are using their personal data, how they access it, amend it, ask for it to be deleted, how to raise an objection for you holding their data and the portability of that data.
- Be clear about how a company or individual can complain about the use of their data or any breach they may consider there to have been. For UK companies, this is the ICO and you should include their contact details in your policy.
- For some companies, there may be statutory, contractual or regulatory obligations to provide personal data. In these instances, you must let the individual know that they are required to provide data to you under those categories and what will happen if they do not provide such data.
What can go wrong if you do not have a compliant Privacy Policy?
A decision not to have a Privacy Policy may lead to serious consequences and impact your business significantly. If there is a breach and you have not complied with the GDPR, you face a fine of 4% of your global revenue or up to £20 million.
It is therefore a considerable risk if you actively decide not to comply with the regulations when a Privacy Policy can protect you.
If you would like to book a free 20 minute call to discuss any of the above information in more detail, please contact: Vicky Simpson – victoria.simpson@applycompliancetoday.co.uk