Summary: Privacy policies will become more simplified and transparent as organizations comply with the GDPR Articles 12, 13 & 14.
- Compliance with GDPR should start with setting up new privacy policies.
- Currently, the majority of privacy policies adhere to US law, which is not as extensive as GDPR.
- Mere updates to existing privacy policies is not a sufficient proof of compliance.
Article excerpts from my forthcoming book – 99 Articles on the GDPR
The GDPR regulation comes into effect in a bit over 2 weeks and while companies are fretting about procedure, policy should not be an overlooked task. Policies differ from procedures, as they are high-level documents that set principles, rather than details of how, what and when things should be done. Currently, a U.S. organization’s privacy policy (also referred to as, a “privacy notice,” “privacy policy,” or “information notice”) probably conforms to U.S. law. For example, a few areas that set regulatory requirements are financial services (the Gramm Leach Bliley Act (“GLBA”)), healthcare (the Health Insurance Portability and Accountability Act (“HIPAA”)) and children’s online protection (the Children’s Online Privacy Protection Act (“COPPA”)). While these regulations raise awareness of data privacy, the GDPR requires even higher levels of conformity.
Privacy policies of organizations describe the type of information it collects, the third parties with whom it shares the information, and the steps that it is taking to secure the information. This basic structure helps an organization to create a general model for privacy and protection of data. Yet, policies to follow HIPAA, FERPA, or COPPA vary in its effect as compared to the GDPR. Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects. While these are more detailed and specific requirements than in the UK Data Protection Act 1998 (DPA), the GDPR says that the information you provide must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge.
Below are key differences between the GDPR & U.S. Law
Source: Bryan Cave
Organizations must focus on creating a privacy notice, and display this to data subjects wherever it captures data, to prove they are making an effort to comply. Currently, many organizations are sending updates to their privacy policies to show that they are simplified and more transparent. Yet, none of this is saying they can’t use the data they already have on you as technology has built systems to capture data but not erase data…yet.