Also see: Studio 24’s practical guide to GDPR
NOTE: Please note this is our advice as digital professionals and does not constitute legal advice. Please talk to a lawyer if you require legal advice.
Article 12 states that information must be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”. (Article 12).
Article 12 (7) also states that the information must be provided in order to give an “easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing” (our emphasis).
This means no legalese language and no bamboozling technical information!
- Who we are
- What information do we collect from you?
- Third parties we share data with
- Transfer of information outside of the European Union (EEA)
- How you can access and update information
- 16 or under consent
- Data security
- How we use profiling data
Who we are
It’s important to state who you are, so people know who is collecting data. Include your full organisation name, company or charity number, and registered address. If you have one, note your Data Protection office contact details here.
What information do we collect from you?
You should explain what personal data you collect from users. This should include any sensitive data such as health, genetic data, or biometric data. We recommend having a sub-heading for each different purpose of data collection on your site (e.g. a contact form, newsletter signup, analytics, etc).
You should include:
- What data you collect
- Why you collect it
- What legal basis are you collecting it
- How long you retain data for
For more details on some of the above topics see our introduction to GDPR article
Third parties we share data with
Name any third party services you will be using to collect data. Remember you’ll need to also specify how long this data will be stored for, and how users can make amendments to this data or exercise any of their rights.
Also, do some due diligence on third party suppliers to ensure that they are willing to be compliant with GDPR. MailChimp, Constant Contact, Hubspot and Salesforce are among the providers who report that they have certified with Privacy Shield, showing their intention to follow GDPR’s rules on the transfer of data between countries.
Transfer of information outside of the European Union (EEA)
You’ll need to ensure you have consent, or the normal lawful basis, for processing user data outside the EU. You also need to ensure non-EU service providers take data security seriously. See if they are accredited to the EU-U.S. Privacy Shield Framework.
Read more about GDPR international data transfers.
How you can access and update your information
Provide the means for users to update their information. This might be as simple as providing an email address and asking users to contact directly if they want to update any information.
If you provide any account or login based services, you could include a brief guide (or link to a guide) to help users manage their settings.
16 or under consent
Find out more at the ICO guide to GDPR and Children.
It is good practice to detail what steps you take to ensure user’s data is kept private. For example, the use of HTTPS or data encryption. You may want to point out user’s data is hosted in the EU, or if it’s in the US (as many hosted services are) then the supplier is compliant with the EU Privacy Shield framework. This is all about giving users the confidence you take their security seriously.
How we use profiling data
For more information see Rights related to automated decision making including profiling (ICO).
Some nice examples of privacy policies: