How to Update Your Privacy Policy for GDPR Compliance

GDPR is the EU law implemented on May 25th, 2018 on all organizations dealing with EU citizens. It was implemented to protect the privacy and personal data of users. 

GDPR has created a set of rules that all websites while collecting and processing personal data. If you are an organization that deals with information on EU users then you must comply with these rules, violating which can lead to hefty penalties and fines.  

Privacy Policy is a public document by the organization controlling the website, which explains the working of the organization, the process involved in the collection of user data and how it protects the data rights of users.

Ever since the implementation of GDPR, user privacy is even more of a concern to every website. GDPR assures that websites don’t collect user data without their consent and user be informed of the working of the website. It ensures the rights of the user are honored by websites and penalizes those who do not comply with its rules. When opting for a privacy policy generator, make sure it is GDPR compliant. 

The Privacy Policy for GDPR compliance must have the following specified,

• What personal information is collected.
• How the information of the user is collected.
• What is the purpose of the information collected.
• How the website keeps the data collected secure.
• What control the user has over the data submitted.
• What third-party networks are linked to your website and serve targetted ads.
• An opt-in and opt-out mechanism from cookies and scripts.
• A contact method to get in touch with the organization.

Let us look into each of these points are in detail.

Usual personal information collected are names, emails, phone numbers, etc. Any other form of data collected must also be mentioned in the privacy policy.

Online registration or purchase is a few ways data is collected from users. Contact or feedback form too ask for personal information from users. Other than these cookies are stored in the user’s browser that may track your browsing activity.

The data collected is for processing your purchase or for the maintenance of your profile on the website. Most cookies set store user information are necessary for the functioning of the website. 

The data collected is kept in the records of the website and deleted after a time period.

If third-party agencies are a part of your website or are partnered with your website, and if the data collected by you is shared with them, the user needs to be informed. 

The user should have an option to opt-out of targetted ads and emails.

The following are the rights that data subjects get in GDPR. All users, employees, customers or anyone working for the company can make these rights requests. 

The Right To Information

This right authorizes the user or customer to ask the website about how the information collected from them is being used and with who is it shared.

The Right To Access

Under this right, the data subjects get access to their data being processed. They can request the website owner to get a copy of the data they submitted. 

The Right To Rectify

Under this right, the data subjects can modify or change the data submitted by them to the website. The users can send a request to do the same in case their data is not up to date or need any modifications. 

The Right To Restrict Processing

This right provides the users with the choice to restrict the processing of their data. The users can send a request regarding this to the website, which will immediately any ongoing process of their personal data. 

The Right To Object 

If the user wishes to object to the processing of the data given by them then they can do so using this right. This right is the same as the right to withdraw consent. However, it is applicable to special conditions such as when undergoing a legal situation, the user can object on using any personal details submitted. 

The Right to Data Portability

This right gives the user the freedom to obtain and reuse their data for their personal use across different services. The user can use the data submitted to a website, copy, move or submit it from one IT environment to another without affecting its usability.

The Right to Erasure

Under this right, the user can opt to be forgotten by the website. This right comes in handy when the users have ended taking any services from the website. With the customer relationship ended it is important that the customer has the right to request the website to delete all the details previously submitted by them.

The Right To Object To Automated Decision Making

Automated processing of data of users can be carried out in different scenarios such as the decision is important for the performance or entry in a contract, it is authorized to by the union or law if the user gives their consent. 

If the processing takes place without the above scenarios happening, the users must be informed immediately, they need to informed of simple ways to challenge the decision. 

The Right To Notification Obligation

According to this right, any change or deletion or rectification of the user’s data must be notified to them. This is important as the change may or may not be made by them and is to be followed even in case of loss or breach of user’s data.

Cookies are small script files that are set on the user’s browsers or devices by the website visited by the user. These cookies stay on the browser until their expiration time or until the user clears the browser cookies.

These cookies are set on the browser store information about the user’s behavior on the browser. these data are then used by the third-parties to create a profile of the user’s preferences and provide them with targeted advertisements, that are more likely to be clicked by the users. 

They track the user behavior, what links they click on and even their user history to target relevant ads. 

Cookies can be classified into different types based on different characteristics. 

• Based on their purpose, there are basically two types of cookies, necessary and non-necessary. The necessary cookies are the ones that are essential for the functioning of a website, and the non-necessary cookies are the ones that are added additionally by the website and are not really important for the functioning of the website.    
• Based on their origin, cookies can be divided into first-party and third-party cookies. First-party cookies are set by the website itself that the user is currently visiting, say, check whether the user is logged in or not. Whereas third-party cookies are put in by other websites that track the user for targeting relevant advertisements.
• Based on their duration, cookies can be divided into two, persistent and session cookies. Session cookies are set when the user starts a session and are temporary cookies. They expire once the browser is closed and the session ends. Persistent cookies, on the other hand, stay on the user’s browser for a longer period and only die when they reach their expiration period.

Cookies are these harmless small text files that are locally stored and can be easily viewed and deleted, a lot about the user’s activity and can be stored without the user’s consent, with chances of misuse.

There were cookie policies before stating what cookies are used in the website, why they are used, where the information will be shared to and if the user’s consent is involved with the same. 

Ever since GDPR comes into play, cookie policies have been required to not just ask for the permission of the user for running but also get the following included in the policy.

• The name and type of cookies used. There are many types of cookies available, the ones used should be specified in a cookie list along with the cookie name and ID.
• The purpose of the cookies used. Along with the type, the purpose of each cookie used should also be specified in the cookie list. 
• Cookie duration. Some cookies die out after a user session and some are persistent ones, that stay along for a year or so. The duration to which a cookie will stay in your browser must be specified.
• The whereabouts of the data shared through the cookies should be specified.
• Cookie rejection and acceptance policy should be mentioned. Users should know how to opt-out of cookies.

It is important that Email, phone number of the address of the website owners are provided in the Privacy Policy for GDPR compliance, as well as on the website. This is in regard to provide a better user experience making them feel free to contact for guidance, support or to report a complaint.

If you own a website and your Privacy Policy covers all the above points then it sure is GDPR compliant. In case, your Privacy Policy lacks any of the above-mentioned details, it is time to update it ASAP!

Create the perfect privacy policy for your business website using CookieYes Privacy Policy Generator in less than two minutes!