Compliance Genie

View Original

Privacy Policies - they are just the tip of the Iceberg

Before I cover why having a compliant website, isn’t just about a privacy policy, I want to preface this with the following:

‘After listening to me, you may have an increased awareness of seeing a lack of privacy policies on businesses websites and also you may start wondering what businesses are doing with your personal information. It’s like when you decide you want a new car and all of a sudden you start to see them everywhere, I obviously have this effect on people! – welcome to my world!

And whilst it may appear I am against sharing personal information, this is actually far from the truth. In today’s world, we need to have access to people’s personal information and share it to enable us to provide our services, look after our clients and do our jobs of creating magic properly.

My drive comes from educating people the importance of protecting the information that they have and also to have the right foundations in place in their business so it can evolve to the next level safely. By educating individuals and businesses, people can make a decision as to whether they are happy with what businesses do with their personal information or the lack of transparency – whichever is appropriate. If I’ve achieved my goal of educating people which puts them in a better position to protect the personal information and their business as a result, then this makes me happy.’

So…… what does it mean to be able to evidence compliance for your website – from a data protection perspective? Remember your website is your shop window, and one of the first chances you have to demonstrate your integrity and values.

Well all too often, people think that a privacy policy is all that is needed to evidence compliance when it comes to data protection requirements for a website. It’s quite common to just either purchase a template, or find something on the internet that looks okay, and then this is adapted, in some cases it’s not even adapted, thinking if it’s okay for that business it will do for mine. Whilst having a privacy policy is a good start there is in fact more involved to it, which I will get to later.

Now the Privacy Policy or a Fair Processing Notice as it may also be called, is a way that businesses can show they are covering the transparency requirements under UK GDPR (UK General Data Protection Regulations). This basically, it informs individuals what information is collected about them, what a business does with it and why. So on some templates you will see different things being disclosed, however you only need to disclose information that is relevant to the people you are collecting the information about. For example, if you are a small business you don’t need to give people the right to opt out of automated decision making (including profiling) if this is something you don’t do.

The privacy policy should be easy to understand so people can make an informed decision about sharing their information with you. It’s not a case of blinding them with science and including things that are totally irrelevant as this is too confusing for people to understand the policy what is trying to explain. A good rule of thumb is – if you don’t understand it, how do you expect someone else to? Simple is better – no need to be complex. Some people may decide not even to share their personal information if your privacy policy is too complex or refers to things that you don’t even do with their data – for example making reference to transferring information to third countries when this isn’t something you do.

What should be on a privacy policy:

·         Name and contact details of the business

·         The purpose of processing – why you are collecting the information

·         The lawful basis of processing – there are 6 legal basis that can be used

·         Where legitimate interests is being used as a legal basis – if applicable

·         Retention periods – how long you keep each type of personal information for

·         The rights individuals have in relation to the data you collect – what rights individuals have will depend on what lawful basis of processing is used

·         The right to complain to the supervisory authority – in the UK this is ICO (Information Commissioners Office)

To have a privacy policy that is suitable for your business, you can probably see a copy and paste job will just not cut it. Also remember whilst you can purchase a template, you are responsible for ensuring it is appropriate for your business, as compliance isn’t actually something you can fully outsource. You are still responsible and accountable under the regulations.

So your privacy policy is just the tip of the iceberg and this is what you see on the website. However, just like an iceberg, there is a whole raft of documentation that is required under the surface that actually evidences compliance and this should be done to support the finalised privacy policy.

Like everything in compliance if something isn’t written down it’s very hard to evidence that it has been done. And whilst evidencing compliance in relation to data protection on your website is a similar story. In fact, to be able to write a privacy policy that is tailored to your business you need to be able to answer and evidence the following questions:

·         What information is being collected – for example; name, email, telephone number.

·         What is the legal basis?

·         Where legitimate interests is being used – an assessment needs to be undertaken and reviewed on a regular basis to evidence it is the appropriate basis.

·         How long each type of information should be kept for – this will vary on the information you hold, for example information that is kept in order for you to fulfil a contract will generally have a period linked to your accountancy records.

·         What rights individuals have in relation to their data – this will tie in to how long you keep and what you keep information for. If you are a financial adviser and advising on a Defined Benefit transfer there is a regulatory requirement to keep hold of this information indefinitely – therefore an individual would not have the right to deletion in this case.

·         Where consent is used, individuals have the right to remove their consent. What are the implications to your business if this happens? Consent is a whole other issue which will be addressed in another blog.

Now you have the basics covered for Data Protection Compliance, is your website fully compliant? Well there are of course other regulations and not just data protection regulations, but that is a blog for another day….

Should you decide to write your own privacy policy or a adapt a template there is a raft of information out there. And as I say having a privacy policy is better than not having one. But to have a privacy policy that truly reflects your business and to have the underlying documentation, and where appropriate the correct processes, to evidence compliance will protect your business and make it evident to your customers that you take protecting the personal information they have chosen to let you borrow seriously. The questions we should be asking are you actually confident in adapting the template? would you know if something wasn’t applicable to your business? Would you rather spend your time doing something you love?

 

Well this is where the Genie for the Day service, this is what I love doing so get your Genie for the day and I will write your privacy policy, ensure all the compliance around the privacy policy is documented, and I will even implement the policy into your website and ensure any email marketing opt in is fully compliant. Get your Genie for the Day and you can relax doing something you love whilst I work my magic.

Want to know more, click here.

See this form in the original post