Here are some essential tips for keeping on top of your privacy notices:
Make sure last updates are recorded at the start of the policy. If someone is checking the policy then understanding when it was last changed is important. It also helps with version control but be sure to have an effective date on record too.
Does the policy include a description of all personal information collected, how it is used, how long it is retained and why. This is all essential information if the policy is going to be transparent, a key requirement.
Include third party service providers, what data is shared with them and why. Ensure that third parties have been reviewed and any necessary contractual agreements are in place, check each ones security, data breach and data transfer policies. This is vital as when a company engages a third party it can, in some instances, mean that it takes responsibility for the way the third party handles its end user information. So it is key to understand what personal information is shared and who with. The definition of personal information depends on the regulation or regulations that apply.
Be sure to reference security, there is no need to give away all the security measures taken as that could undermine but include enough information to let your audience know you take appropriate measures and make sure you do what you say.
Individuals rights are paramount. The GDPR requirements on data subjects’ rights are comprehensive and apply to children too (Articles 15 to 22). However, other data privacy laws include rights for users and parents in relation to their child including COPPA, China’s new child privacy law which is a broader take on COPPA (Provisions on Cyber Protection of Personal Information of Children (PCPPIC)and the CCPA. Make sure users know what their rights are and how to action them. Be sure to have mechanisms in place to respond. It is not enough to say email us to access your personal information and then have no way to gather and provide it.
Above all make the policy clear, accessible, transparent and easy to read. Pages of long complicated legalese does not meet best privacy practices or the requirements. Layer notices by adding a quick summary and then link to more detailed information. The GDPR and the UK’s ICO (Information Commissioner’s Office) Age Appropriate Design Code require policies written appropriately for the age of the audience. This means writing policies for children. Include signpost, animations and creative solutions to support understanding but do not include marketing materials and promotions, the policy is not the place to sell your service.
About the Author
Claire Quinn is VP of Compliance for PRIVO. PRIVO is at the heart of developments in this space and will be updating its GDPRkids™ Privacy Assured Program to ensure it remains relevant and mapped to the regulation, the latest guidance and codes. For more information on the program, which demonstrates compliance in relation to children, contact us!