Now that you have a basic understanding of Privacy by Design principles and the importance of a comprehensive privacy policy, it's time to evaluate what you have already.
In this chapter, we will present 10 essential questions you should answer to ensure your privacy policy is robust, transparent, and effective in protecting the personal information of your customers.
Let's explore these questions using a fictional company, "FituraLife," as an example.
About the company
FituraLife is a San Francisco-based health and wellness company offering personalised fitness programs and meal plans through a subscription service. The company uses technology, expert advice, and a user-friendly platform to cater to a diverse clientele. Committed to protecting customers' privacy and complying with data protection regulations, FituraLife focuses on transparency and trust in its privacy practices and maintains an exemplary privacy policy.
What types of personal data do you collect?
Clearly list the personal data your organisation collects, such as names, addresses, email addresses, phone numbers, financial information, and IP addresses. Be specific and transparent to avoid ambiguity.
Example
FituraLife collects personal data, such as names, addresses, email addresses, phone numbers, date of birth, and health-related information (e.g., dietary preferences and fitness goals).
What is the purpose of the data collection and usage?
State the purpose for collecting each type of personal data and its usage. Limit data collection to what is necessary for the stated purposes and ensure these purposes are legitimate and lawful.
Example
FituraLife collects personal data to personalise fitness programs, provide tailored meal plans, send newsletters, and process payments.
With whom do you share the data?
If you share personal data with third parties, indicate which parties have access to the data and their purposes. Be transparent about your data sharing practices and verify that third parties maintain appropriate privacy and security standards.
Example
FituraLife shares personal data with third-party payment processors, nutrition experts, and partner gyms to offer comprehensive fitness and wellness services.
Which third-party services are you using to process the data?
List the third-party services that process personal data on your behalf, such as cloud storage providers, analytics services, and marketing platforms. Confirm their compliance with data protection regulations and privacy and security standards.
Example
FituraLife uses third-party services, such as a cloud storage provider for storing customer data, a marketing platform for sending newsletters, and an analytics service for understanding user behavior on the website.
What security measures are in place to protect the data?
Describe the security measures in place to protect personal data from unauthorised access, disclosure, alteration, or destruction. Include information on encryption, access controls, and other safeguards.
Example
FituraLife employs encryption for data in transit and at rest, uses strong access controls, conducts regular security audits, and follows industry best practices to safeguard customer data.
How long do you retain the data?
Outline your data retention policies, specifying the retention period for each type of personal data and the criteria determining this period. Comply with legal requirements for data retention and delete or anonymise personal data when no longer needed for the stated purposes.
Example
FituraLife retains personal data for the duration of the customer's subscription and an additional 12 months for record-keeping purposes. After this period, the data is anonymised or deleted.
How will users exercise their various privacy rights?
Inform users about their rights under relevant data protection laws, such as the right to access, rectify, delete, or restrict the processing of their personal data. Provide clear instructions for exercising these rights and the process for handling requests.
Example
FituraLife allows users to access, rectify, delete, or restrict the processing of their personal data by submitting a request through a dedicated online form, emailing the privacy officer, or calling customer support.
How can users give or withdraw consent for their data collection and usage?
Explain the mechanisms your organisation uses to obtain and document users' consent for data collection and processing. This may include opt-in checkboxes, consent banners, or other methods that comply with relevant data protection regulations. Use clear, easy-to-understand, and accessible consent mechanisms that comply with data protection regulations. Also, provide users with the ability to withdraw their consent at any time.
Example
FituraLife uses opt-in checkboxes during the registration process to obtain user consent for data collection and processing. Users can also withdraw their consent at any time by visiting the "Privacy Settings" section of their account.
On what basis do you justify any international data transfers?
If your organisation transfers personal data across international borders, your privacy policy must demonstrate compliance with the relevant data protection laws governing international data transfers, such as the GDPR or CCPA. Explain the legal basis for these transfers and the safeguards in place to protect personal data during the transfer process.
Example
FituraLife justifies international data transfers based on the standard contractual clauses approved by the European Commission to ensure adequate safeguards for personal data transferred outside the European Economic Area.
How are users notified of policy changes?
Inform users about the method and timing of notifications for any changes to your privacy policy. Offer a way for them to review and accept the updated policy through email notifications, in-app messages, or other appropriate communication channels.
Example: FituraLife notifies users of any changes to the privacy policy by sending an email to their registered email address, displaying an in-app message, and highlighting the changes on the website.
By addressing these 10 essential questions, your organisation can develop a privacy policy that is informative, engaging, and respectful of your customers' personal information. This proactive approach demonstrates your commitment to transparency, compliance, and customer trust.
As we progress into the next chapter, we will extend these 10 questions into what is required (at a minimum) for compliance with specific legislation, such as the GDPR and CCPA. Depending on the nature of your organisation, and the location of your users or customers, extra-territorial regulation can apply to you. By understanding and adhering to these regulations, your organisation can further strengthen its privacy practices, avoid international legal ramifications, and foster an increasingly secure environment for your data.