What Do You Need to Know about GDPR Compliance Requirements in 2022?Read article
Your privacy notice explains to your users and customers how your company collects their private personal data, how you process it, who you share it with, and for what purposes. It helps your customers make informed decisions about whether to consent to data collection.
What do laws like GDPR and CCPA have to say about privacy notices and policies?
Since both data privacy laws are primarily concerned with giving consumers greater insights into and control over who is collecting their data and why, they both require some kind of privacy notice or statement that explains an organization’s privacy practices in plain language. A common practice is to have this notice publicly available on your website. It must also give users the option to opt out of processing of personal data.
What’s typically included in a GDPR-compliant privacy notice?
A typical privacy notice includes a few common elements. It usually covers:
- Exactly what categories of personal data you’re collecting
- Why you’re collecting personal user data (your legal basis or lawful basis under GDPR)
- How you’re collecting personal data, including whether you’re the data controller or data processor (or both)
- How you will use the personal data you collect (i.e., for marketing purposes), how long it will be kept, and how you’ll dispose of it
- How users can opt-out and/or request erasure of their personal data, including a phone number or address they can use to contact you
GDPR requirements state that you must explain how you process data in “a concise, transparent, intelligible, and easily accessible form.” A common practice is to have a privacy notice to be publicly available on your website. You can link your privacy notice in a highly visible place and use clear, direct language. This is typically in the footer of your website, plus anywhere you collect personal information like names and contact information.
- What type of data you collect from users, whether it’s contact information, payment information, demographic data, etc.
- Why you collect personal data
- Where you store personal data, for how long, and how you dispose of it
- Whether you share personal data with any third parties, such as service providers, advertising partners, or business affiliates
- How you ensure the data you collect is accurate and sufficiently protected
- How your team should respond in the event of a data breach
- What kinds of rights data subjects have over their personal data and how your team is expected to respond to consumer requests
- Who within the organization is responsible for overseeing data protection
GDPR Privacy Notice Examples
Whenever you’re creating a new policy for your business, it can be especially helpful to see examples of how other organizations have done it. Below we share a few examples of privacy notices you can use as inspiration for writing your own.
The Walt Disney Company
The Walt Disney Company is famous for its level of personalization — whether you’re viewing one of its websites, browsing its streaming platform, or visiting its theme parks. Disney’s ability to create such detailed user experiences is based in large part on their ability to collect relevant data and tailor your experience based on your preferences and past behaviors.
This is all explained in plain language in Disney’s comprehensive privacy notice, which includes sections on the types of personal data they collect and who they share it with. The privacy notice also includes a specific section explaining privacy protections for children and parents’ rights.
Disney also goes the extra mile to make its privacy notice accessible to a general audience by linking legal terms like “data controller” and “personal information” and providing a simple definition.
Whether you just use Google search once in a while or have a whole suite of Google apps and devices in your home, Google’s privacy notice is designed to help all levels of users understand how their personal data is collected and processed.
Privacy policies can be daunting for uninitiated readers, and it’s clear that Google put some careful thought into helping users navigate and understand its privacy notice. It includes a table of contents so that readers can easily jump between sections, and links to other key policies including Google’s Terms of Service.
Google also includes helpful video snippets throughout their privacy notice that quickly explain key concepts like what the privacy notice is, why Google collects user data, and what rights users have over their personal data.
Meta’s Privacy Center is similar to Google’s, with a Table of Contents for easy navigation and explanatory videos sprinkled throughout the page. Like Disney, it also includes pop-up links that answer key questions and explain core data privacy concepts in layman’s terms.
This layout makes it easier for users to understand Meta’s overall approach to data privacy and quickly find answers to specific questions, while “Learn more” links let interested readers dive deeper into the specifics of Meta’s privacy practices.
One thing Meta does particularly well is they include specific “Take control” callouts that make it easy for users to exercise their data privacy rights.
Get help verifying and maintaining GDPR compliance
Knowing that your policies and procedures are compliant with GDPR requirements can be tricky, especially when you’re trying to build them from scratch.
With Secureframe, you’ll get access to a library of policy templates that have been vetted by former auditors and compliance experts. You’ll get GDPR training for employees, save time with automated evidence collection, and stay up to date with the latest GDPR requirements. Our team of experts will also notify you of any changes in regulation so you can stay compliant.
To learn more, schedule a demo of our security and compliance automation platform.