Are you looking forward to develop a PRIVACY STATEMENT for your organisation?

There is need to ensure compliance with the new Data Protection Laws that are making organisations revise their business operations. The enactment of the EU GDPR and DPA, 2019 have led to the renaissance of new policies as a requirement for compliance.

In this article, I have highlighted areas of focus for a comprehensive Privacy Statement to guide you as you plan for development and implementation of your privacy Notice/ statement.

Who needs a Privacy Statement?

 As long as you (as a company or an individual) collects or uses personal information from users, you will need a Privacy Statement.

A Privacy statement is required regardless of the type of platform your business operates on or what kind of industry you are in.

Remember: A privacy statement is not a privacy policy. The two documents are different. They kind of serve the same purpose but one is internal and the other is external.

To simplify the difference, a privacy policy is internally focused telling employees what they may do with personal information while a privacy notice is externally telling customers, regulators, and other stakeholders what the organization does with personal information.

The Privacy Statement can also be recognized as:

• Privacy Notice
• Privacy Information
• Privacy Page

A privacy notice is accessible on website and mobile app and all other platforms your business operates on.

Privacy statement checklist

The requirements for Privacy Statements may differ from one organisation / country to another depending on the policies, jurisdiction or legislation. However, most Privacy Laws classify the following critical points that a privacy statement should address for the business to comply with when dealing with personal data. Here are the key areas of focus that will guide you while drafting the statement.

1.     Notice: The statement should declare to data subject the information collected, how it is received, how it is processed and used from users before collecting it. Customers should be notified of when their data may be shared/ transferred or disclosed to a stakeholder.

2.     Choice & Control: As you develop the policy, consider and respect the choices of users on what information they choose to provide to you.

3.     Security: as a data controller/processor, always remember that you are entirely responsible for the security of the data collected and this should be clearly stated. You may not be responsible for its accuracy but ensure the data you process is accorded utmost information security.

4.     Access: the statement should be accessible for Users to be able to view, update or request the removal of personal data collected by the company where necessary.

5.     Accepting the privacy policy: Customers should be able to opt-in or opt-out of your services freely. Both the customer and the company should agree to the Data Protection terms to ensure that each party understands their rights.

6.     Assurance message from the organisation: this should clearly explain how your organisation will treat PII and protect customer privacy when they use your services i.e. you agree that such data will be in protected accordance with their privacy policy.

7.     Retention: define the retention period for the data collected as per the internal Data Retention Policy.

8.     Privacy policy changes: the statement should always highlight changes on the privacy policy.

9.     Your responsibilities: as a company, define what your responsibilities are on matters concerning protection of customer data.

10. Contact details: don’t forget to include contact details for the company’s DPO to enable customers reach out to you in case of concerns on their PII management. You should commit to resolve complaints about data collection or use of personal information to give assurance to the customer that you take their privacy concerns seriously.

Repercussions

The privacy statement is required by Law if you collect personal data or information that is considered private and therefore not having it will subject you to the following:

• Not having a Privacy statement can be a reason for rejection during the app review.
• Some companies will not be able to transact with you.
• Legal penalties for non-compliance with the EU GDPR, 2018 and the Data Protection Law, 2019. The GDPR requires companies dealing with EU citizens to have a Privacy Statement regardless of where the company is based.

“Together, We Work Smart”

#sharewithV