Summary: Privacy policies will become more simplified and transparent as organizations comply with the GDPR Articles 12, 13 & 14.
- Compliance with GDPR should start with setting up new privacy policies.
- Currently, the majority of privacy policies adhere to US law, which is not as extensive as GDPR.
- Mere updates to existing privacy policies is not a sufficient proof of compliance.
Article excerpts from my forthcoming book – 99 Articles on the GDPR
Privacy policies of organizations describe the type of information it collects, the third parties with whom it shares the information, and the steps that it is taking to secure the information. This basic structure helps an organization to create a general model for privacy and protection of data. Yet, policies to follow HIPAA, FERPA, or COPPA vary in its effect as compared to the GDPR. Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects. While these are more detailed and specific requirements than in the UK Data Protection Act 1998 (DPA), the GDPR says that the information you provide must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge.
Below are key differences between the GDPR & U.S. Law
Source: Bryan Cave
Organizations must focus on creating a privacy notice, and display this to data subjects wherever it captures data, to prove they are making an effort to comply. Currently, many organizations are sending updates to their privacy policies to show that they are simplified and more transparent. Yet, none of this is saying they can’t use the data they already have on you as technology has built systems to capture data but not erase data…yet.