Fundamental difference
Fundamentally, a privacy policy is internally focused. This policy can dictate how personal information should be handled by an organisation. However, a privacy notice is externally facing, informing customers, regulators and all other relevant stakeholders how the organisation handles personal data.
GDPR privacy notice explained
A privacy notice explains how personal data is managed. The GDPR guidelines specify that organisations need to provide external stakeholders with a privacy notice that has the following qualities.
- In a concise, transparent, intelligible, and easily accessible form
- Written in clear and plain language, particularly for any information addressed specifically to a child
- Delivered in a timely manner
- Provided free of charge
Where a company is collecting information from individuals directly, the GDPR details specific information which needs to be included in a company’s privacy notice. Subsequently, some of the requirements of a GDPR privacy notice are outlined below.
- The identity of a company’s Data Protection Officer.
- The purpose and legal basis for an organisation processing an individual’s personal data
- Any recipients of an individual’s data
- The retention period of any data
- The right to withdraw consent where relevant
- The right to complain to a supervising authority
- Details of any data transferred to a third country and the relevant safeguards taken
- Whether the provision of personal data is part of a statutory or contractual obligation
- The existence and details of an automated decision-making system
GDPR privacy policy explained
Preexisting privacy policies are often the basis for the creation of privacy notices. They are consequently the first step in an organisation establishing what is permissible regarding data privacy. Privacy policies are typically legal documents which internally disclose some or all ways an entity gathers, uses and manages private data. However, this data can be personal in nature and related to customers or other stakeholders. Therefore any company with a presence in the EU or an organisation which monitors user information or behaviour should create a GDPR privacy policy.
However, a major component of the GDPR is being transparent and providing accessible information to individuals about the collection and use of their personal data. Consequently, a privacy policy is a key way in which companies fulfil this obligation. Many businesses make their privacy policy public, this aids in transparency and compliance with certain regulations.
Conclusion
Therefore, a privacy policy and notice are distinct. Where relevant it’s important to remain compliant with the GDPR. Consequently, if you are unsure about your obligations regarding data privacy you should consult a business lawyer.
