There’s a lot of confusion over Privacy Policies. Some people have bought “off the shelf” policies and others don’t have one at all.
We all have “the right to be informed”, we also have other rights – you can read about them here.
Andrew Roberts our Data Protection expert tackles, in this blog, some of the subtleties and areas where people tend to get privacy policies wrong.
Whenever your organisation is communicating with the data subject, make sure they can access the policy.
Most people put a document or page up on their website with a link in the footer, which is good, and allows people to check how you’re processing data even if you aren’t communicating with them.
When you are communicating directly with people on email, you also need to let people know how to see what you’re doing with their data.
The website policy
One issue that I have seen quite often is that privacy policies only, or mainly, cover the processing of data that relates to the website. Policies like this focus on cookies, how contact us forms might capture data, and other ways that data that only relate to the website is captured, stored and managed.
This is often the case when website designers create the privacy policies as a part of setting up the website.
The public-facing privacy policies should cover all of the data you are processing, whether linked to your website or not.
Privacy policies should never be (but often are) approached with an attitude of posterior protection – privacy policies are not a contract between you and the data subject.
The policy is your shop window to show the data subject what, who, how, where, when and why you are processing data. You are processing their data, and as a part of that transaction, one of your obligations is to provide a clear and succinct message that tells the data subject how their data is being processed.
When structuring the policy, consider what the data subject would want to know.
The data subject will often fall into one or more categories, and main ones are usually the ones below, but you may well have others:
- Prospects (including ex-customers),
I recommend separating out how you process data for the specific purposes and grouping them under these categories. You may be processing data for more than one reason for a given type of data subject; this is fine. A single individual can have their data processed under more than one category.
When documenting the information on how you process data, follow a set pattern in each section, both for ease of understanding, and for ease of update. For example:
- A description of the category: “We capture information on individuals in customers and prospective customers who are buying or interested in buying products from us”.
- Why you are doing this: “We process this data so that we can engage with the individuals to provide their organisations with our services”.
- How: ” We capture this information either directly or through our website or from their contact to us using email or telephone”.
- What: “includes basic contact details such as name, telephone number and email address”.
- What legal basis you’re using to process the information and how you justify that.
- Whether you also capture special category or criminal offence data, why and what reasons you’re using to do so.
- The general public doesn’t see the information on employees, and
- Employees can have access to the information in relevant documents like the employee handbook.
Employees are statistically one of the most significant causes of problems when it comes to data protection; disgruntled employees or ex-employees can soak up time and resource in ‘weaponising’ their right to access (known incorrectly as a Subject Access Request or SAR – it’s not a ‘request’, the data subjects are exercising their rights) as one example.
Transparency is good
Despite the temptation to obscure how you process data, having greater transparency in how you manage data protection is a help to any data protection issue, rather than a hindrance.
Please contact us on email@example.com or call us on 01635 592020