The answer is yes – however only as a template and it relies upon the layout of the template also reflecting your individual processing activities. If the template you use is missing key sections, then it won’t allow you to detail important elements of your use of personal data.
Before the GDPR, privacy policies had to include the following information:
· What information you collect
· How you collect it
· What you use it for
· How you keep it secure
· Whether you share it
· Any controls users have over any of the above
The ICO has published a privacy notice checklist to help you comply with the GDPR if you are reviewing the content of your own policy. You should ensure plain and clear language is used – and importantly – it is written for the audience it is intended.
Privacy policies must still include the detail above, however, there is a much greater emphasis on transparency with required information now including:
· The name and contact details of the organisation (information on the data controller)
· The name and contact details of the data protection representative (DPO) if you have one.
· What data you collect in which designated areas – is, as part of your online activities.
· How personal data is collected
· The purpose of the processing (what you use it for)
· The lawful basis of the processing (of which there are six lawful bases)
· How you keep personal data secure
· Who you share the personal data with (details of third parties)
· How long you retain the data (retention periods)
· The rights of the data subjects – these are far more detailed under the GDPR than the DPA 1998.
We have detailed some of the important elements of the GDPR below.
Data controller information
The data controller is the person (either alone, or jointly with others) who determines the purposes for which and the manner in which any personal data are, or will be processed. You are solely responsible for the protection of this data.
· The right to be informed
· The right of access
· The right to rectification
· The right to erasure
· The right to restrict processing
· The right to data portability
· The right to object
· Rights related to automated decision making and profiling
This can be achieved using the format above, using a longer more descriptive clause, or in a heading titled ‘Your rights’ with a paragraph specific to your business use.
It is good practice to explain to your users the procedure for exercising their rights and how you will deal with their requests.
Data processing operations
For each processing operation, the purpose must be disclosed. This means, simply, that the purpose of you processing their information must be made known to the user. You must also inform the user of the legal basis you have to process the data. This is all about keeping your user informed about how their data is going to be used.
Data retention periods
Data Protection Officer (DPO)
As detailed in Article 37 of the GDPR, some businesses are required by law to have a designated Data Protection Officer if the processing activities involve certain types of data – mainly special categories of data, or large-scale processing activities.
Under the GDPR, some businesses are required by law to have a designated Data Protection Officer if the processing activities involve certain types of data – mainly special categories of data, or large-scale processing activities.
If your business does not have a Data Protection Officer, you can include contact information for privacy complaints. This should be a separate email address, but you can use your regular physical business address for postal complaints.
Third party disclosure
The GDPR requires you to be fully transparent about how personal data is handled, which means disclosing who the third parties are who you share data with.
Plain and clear language
The Information Commissioners’ Office (ICO) Privacy Notice is an excellent example of this, allowing the user to jump to relevant sections at a click.