5 Must - Have Elements In a Globally Compliant Privacy Policy

5 Must - Have Elements In a Globally Compliant Privacy Policy

Fauzia Khan

  February 2023
  by Fauzia Khan

  Fauzia Khan - emailFauzia Khan - LinkedIn Profile

Fauzia Khan

February 2023
  by Fauzia Khan

Fauzia Khan - emailFauzia Khan - LinkedIn Profile

It is now in the past that one may do away with a website privacy policy or draft the policy in a vague and open-ended manner or make the contents thereof accessible upon request.

With regulatory reforms across the globe, there is a reinforced need to have in place a dedicated privacy policy that is formulated in a user-friendly manner and in compliance with applicable laws and regulations based on global best practices.

Key Concepts under Global Data Protection Regime?

Before we delve into the core elements, let us encapsulate some of the key terms that are described under different global regulations and commonly used as part of a privacy policy –

  • I. Personal Data – means any information or data relating to an identified natural person or who can be identified, directly or indirectly through linking data such as name, voice, and identification number, and includes sensitive personal data and biometric data.
  • II. Data Controller – means the person that determines the purposes of any Personal Data and the means of processing it.
  • III. Data Processor – means the person that processes personal data on behalf of a Data Controller for a specific purpose.
  • IV. Data Subject – means an identified or identifiable natural person, whose personal information is comprised in the personal data.

5 Core Elements to Formulate an Effective Privacy Policy

A key requirement today is creating policies that are clear, comprehensive, and made available in an accessible form.

In this concept note, we will be describing 5 core elements relating to data processing activities that must be kept in mind when drafting a privacy policy –

1. Consent Disclaimer or Opt-In Option–

It is one of the many bases of data processing and it refers to an indication by the data subject, which is freely given, unambiguous, specific, and informed. Companies may at times provide a detailed privacy policy accessible at choice at the end of the page. However, seeking conscious consent is a practice that all data controllers and processors must integrate into their systems. Providing a choice in the form of popups or chat box menus is a convenient way to disseminate the desired information and seek free consent from the data subject at the very beginning itself. When drafting a consent disclaimer, companies can avoid technical legal jargon and instead state the information in plain language, which can be easily interpreted by the data subject. Additionally, it is a good practice to provide a link to the privacy policy in the consent disclaimer itself as it makes it easier for the user to go through the details pertaining to data processing.

2. Type of Data Collected –

A mere mention that personal information is being collected is not enough. As a global regulatory compliance practice, you must state the type of personally identifiable information or personal information being collected and processed from the data subject including name, email address, birth date, contact number, etc. Moreover, you are required to precisely mention the specific purpose for collecting and processing information. must also be clearly highlighted to the data subject.

3. How is the Data Used –

There must be a proper and comprehensive description of the specific purpose for the use of the data you collect and intend to process. This makes it clear as to the reason for the data subject’s information being collected and processed. Any form of third-party data transfer must be shared with the data subject. In such cases, you must ensure that you invest in highly secure partnerships and platforms which shall be supported by a thorough due diligence process, which may be made available to the data subject on a need-to-know basis. When using cookies to track visitors to your website, be transparent about that.

4. Data Storage and Retention –

As a data controller, you are obliged to inform the data subject of the period for which the personal data will be stored, or the criteria used to determine that period. You must share the measures and security protocols undertaken to keep the information safe. Furthermore, you must also disclose the information pertaining to the period for which the data will be retained, and the process undertaken to ensure data erasure either upon completion of a specific purpose or in accordance with your data retention policy criteria.

5. Opt-Out Option –

It primarily means the data subject undertakes the desired action to either restrict or withdraw consent with reference to a particular event/ process. Some examples of this process include unsubscribing to newsletters, unticking a previously ticked checkbox, not consenting to save personal details, rejecting the use of cookies, etc.

While the above framework helps build an effective privacy policy, another integral part of the structure (formulated in alignment with global reforms and standards) is one that enumerates the rights of the data subject including –

I. Right to be informed

II. Right to access

III. Right to rectify

IV. Right to erasure

V. Right to restrict/withdraw consent

VI. Right to object

How do I get a Privacy Policy?

You may contact CMI on the below mentioned details, whereby a member of our team will connect with you to understand the nuances of your business operations and share an overview of the regulatory requirements in terms of applicable privacy law(s). Once you have retained our services, we can draft a tailor-made solution for you to manage and protect the personal information of the data subjects.

For any related query, you can reach out to us: Call/WhatsApp: +971 562224688; Email: info@centurymaxim.co; Visit: www.centurymaxim.com.

Disclaimer: The above content is for general guidance and no information as given herein by CMI should be construed as advice or recommendation or solicitation, nor should it be considered as legal, regulatory, credit, tax, or accounting advice. CMI undertakes responsibility only when an engagement with the Client has been formalized between the parties involved under the terms agreed thereby.