03 Aug GDPR: Crafting your Privacy Policy
*Who is collecting the data? In your Privacy Policy you need to address who is collecting your data, whether it is your company or a third party application that you use.
*What data is being collected? Here you will need to identify what exact data is being collected whether it is email address and IP information from comments left on the site, credit card and address information for purchase, email capture for a mailing list, or any other data you are collecting from your customers.
*What is the legal basis for processing the data? Here you should define what business purpose you are collecting the data for. For example, if you are collecting credit card and address information, you are using this information to process orders and mail merchandise to customers.
*Will data be shared with any third parties? We addressed this a bit in the first bullet, but here you will add information if the data is shared with any third party providers. If you are using a commerce system to process your credit card payments, that company will have access to your customer data. If you are using a third party newsletter management system, that company will have access to your customer data. If you work with third-party vendors that have Privacy Policies you may wish to link to those, or you may wish to add information to your Privacy Policy about how the third party vendors protect data they receive.
*How will the information be used? Here you will discuss exactly how you plan to use the data you collect. You may also wish to provide a statement here about how you balance your business interests with the interests of your customers in choosing to use their data. For instance, if they are signing up for your mailing list then using this information to send them information about your company and your products is in their interests. Sharing this list with another company may not be in their interests.
*How long will the data be stored for? This is a simple statement of how long will you store the data you collect from your customers. In the case of public comments on your website, this may be in perpetuity. In the case of credit card information, unless your shopping cart saves that information to a customer profile, you may not retain it beyond the transaction.
*What rights does the data subject have? First and foremost, your users must be able to opt out if they so choose. For example, most newsletter applications (MailChimp, etc.) make it easy for you to add an unsubscribe button. You need to ensure there is an easy, clear way that your customers can opt out.
*How can the data subject raise a complaint? You should develop a process whereby your customer can raise a complaint. This can be as simple as an email address and name of who to contact if they have a complaint.
No Comments