With GDPR compliance now a legal requirement for all organisations, many webmasters are looking for a quick way to get their websites compliant. Is copying someone else’s privacy statement a good way to do this? In this article, we discuss just that.
The purpose of the EU’s General Data Protection Regulation (GDPR) is to provide standardised data protection laws across the EU. In doing so, it protects people’s individual rights to personal data and privacy.
However, while the data protection laws are standardised, the application of these laws differs between organisations. Because of this, your privacy statement has to be specific to you and your processing activity. It cannot be generic under the GDPR.
The issue with doing this is it’s easy to copy mistakes. It’s also lazy and introduces the chances of irrelevance and inaccuracies – which goes against the transparency principles of the GDPR. For example, where one website uses Google Analytics another may not. Where one site uses DoubleClick another may not.
Now we know what you’re thinking: what if I proof and edit someone else’s privacy template so the legalese is there but it’s specific to my business?
The main issue with generators is they are very, very generic. Under the GDPR, you are required by law to be very specific about how and why you collect data. You must also list all the third parties who have access to the data.
The risk you face is non-compliance, very simply. But that’s not to say you will be non-compliant with a generated template. Indeed, you may pass your requirements under the GDPR by using a generic template, but only if your disclosures are detailed, understandable and fully accessible for your users.
What should my privacy statement include?
Your privacy statement is a public statement of how your organisation applies data protection to its own processing activities. The framework that guides this is the GDPR, so a review of the Regulation’s literature is needed.
Article 13 of the GDPR makes it clear a privacy statement must include the following:
1. The identity and the contact details of the controller and, where applicable, of the controller’s representative;
2. The contact details of the data protection officer, where applicable;
3. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
4. Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
5. The recipients or categories of recipients of the personal data, if any;
6. Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
Your privacy statement must also:
· Confirm whether the information will be transferred to a third country or recipient outside the EEA. If not, no further note needed. If yes, confirm the level of protection the data shall receive in accordance with the third country’s laws;
· Confirm the envisaged time limits for erasure of different categories of personal data or, if not possible, the criteria used to determine this period;
· Disclose where you are relying on the data subjects consent to process their data. For example, by ‘opt-in box’ or by ‘website navigation’;
· Disclose whether the provision of personal data is a statutory or contractual requirement, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
· Disclose the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4);
· The data subjects' rights to complain to the Information Commissioner’s Office (ICO) and how to do this.
As you can see, there are a lot of elements here which are business-specific and therefore cannot be copied from someone else’s privacy notice. When creating yours, you must approach it with a clear understanding of what data you are collecting, how you are collecting it and why you are collecting it. Only with this insight can you create a privacy statement that is accurate and transparent.