Time to update your Data Privacy and Data Collection Notices!
This blog post is the fourth in a series of posts on the lovely subject of GDPR. If you are a sole trader, like me, living in Ireland, you will be keen to find out how to become compliant before the deadline on 25th May 2018. I will be sharing the information I have gathered over the past few months in a series of posts. These views are my own. I won’t be using legal jargon or providing information that really only affects bigger companies, as they have their own HR and IT staff to handle their compliance. I hope you will find the posts helpful and feel free to add comments or tips below.
This fourth post covers the next steps to become compliant including updating your Data Privacy policy and or Statement and Collection Notices! I know, it’s a pain really. If you don’t want to handle it yourself, outsource it! Once you have completed the data audit, (see blog post No 1) you should have a good idea of the various ways you have been collecting personal data for your business activities (that is, where the data you collected originated from). Doing the data audit is also a good opportunity to delete data that is no longer required for any business purposes.
Data Privacy Policy and or Data Privacy Statement.
I am currently revising and drafting mine so don’t bother looking at it! If you have a business website, the data privacy bit is usually referred to as a data privacy statement, however, for offline documents, its usually called the data privacy policy, which is not the same as your terms and conditions.
How do I write or amend a Data Privacy Policy and or Statement?
The best way to do that is by referring to the information in your data audit to make sure you include details that cover all of your data collection points. With regards to the layout for the data privacy statement, the content really depends on your own online business activities. In my case, I just showcase my services on my website but if you sell products or services through your website then you are collecting more personal data and your data privacy statement should clearly explain why the data is being collected, how it’s being secured etc.
I know I promised not to use legal jargon and I won’t, but to get a legal understanding of a data privacy policy and to find out how best to write the content for a policy, check out the Data Commissioner site here, it does clearly explain how it should be done and indicates the headings to use for each section.
Once you are happy with the content of your data privacy policy and or statement, publish it on your website, link it to collection notices and add it to your service contracts or to your terms and conditions.
Collection Notice Points
I gave an example of an online collection notice in blog post No 3. But just to confirm, a collection notice should be available at the point in which you ask for personal data to be shared with you. So using the data audit you can quickly see where you have been collecting personal data. Keep in mind, that GDPR is mainly concerned with evidence of consent and evidence that data is being collected and stored securely.
Here is a list of marketing collection notices that you might be using to collect personal data:
| Online | Offline |
| Subscription pop-up/form on website/social media sites | Subscription form |
| Questionnaire | Questionnaire |
| Survey | Survey |
| Competitions | Competitions |
| Webinars/Event registration* | Event registration |
| Application forms | Application forms |
| Website Cookies | Business cards |
| Testimonials | Testimonials |
| Free downloads (E-books/Tips) | Retail stores loyalty programmes |
I am sure there are many other points but you will know where and how you collect personal data for your own particular business.
The important thing to remember here is that you should not add a person’s data to your Newsletter subscription list if they only consented to receive your E-Book! You will need consent for both marketing activities.
Where possible, you should refer to the Data Privacy Policy and or Statement on the collection notices, offering the individual the opportunity to Read More before they give consent. (Remember, that’s the bit that many of us ignore!) Whether an individual reads it or not is their choice but we have to ensure that the collection notice does clearly explain why the data is being collected.
Right, I’m glad that bit is over. In my next post, I will look at Retention, Withdrawing Consent and deleting files. Coming soon. Promise!
gillianb.org 