Under the EU General Data Protection Regulation (GDPR) you must provide a privacy notice if you collect, use or process personal data of European citizens. Individuals have the “right to be informed” and since there is a transparency requirement under the GDPR, they should be told what personal data organisations process and why. A privacy notice on your website is essential.
To avoid confusion (as I still see a lot of it across the internet). Personal data includes any information that relates to an identified or identifiable living individual. It doesn’t matter if that email address is a business email address it is still personal data if it includes an individual’s name.
Too many businesses have said they do not process data as they do not send any marketing, processing data isn’t just about any marketing you send. Processing data includes collecting, recording, organising, structuring, storing, modifying, consulting, using, and destroying data. I am assuming you actually have clients, suppliers, customers or referral partners? In that case you process personal data and by law need to have a privacy notice.
- Who is collecting the data? Yourself, maybe a third party?
- What data is being collected? Be as clear as you can, break it down, if you collect DOB’s, tell them. Remember you should only collect data that you ACTUALLY need.
- Why you collect personal data? You must also explain why you need that personal data, if it’s to process orders (sounds obvious), tell them. If it’s to respond to enquiries, complaints or general feedback, tell them. If you run a loyalty programme, again tell them.
- What is the legal basis for processing the data? Find out which one here …
- Will the data be shared with any third parties? Do you use a VA, a crm system and marketing platform? Examples might include Google Analytics to understand website visitors, or AdSense for personalised advertising.
- How long will the data be stored for? Remember be specific, holding data forever isn’t ok (I know many do)
- What rights does the data subject have? These can be found here X
- How can the data subject raise a complaint? What is your complaint process and be sure to include the ICO’s details also.