GDPR: Privacy policies and consent forms example
GDPR is here and now its time to update your data collection forms. Businesses need to know is to how to update their forms for collecting email addresses and the copy explaining consent for communications in their privacy statement.
Today, as we fast approach the deadline, May 25th 2018, we can learn from the examples of larger companies who have implemented new GDPR-compliant forms and privacy notices. We don’t know they are GDPR compliant in that they haven’t been independently assessed, but the examples in this article are for large businesses who will have taken advice from specialist lawyers.
The example above follows the structure of the GDPR and references features like ‘legitimate interests’. We like it since it is clearly written for the end user, transparent about the data sources and use and clearly structured. However, it is long due to the importance of different types of data processing in insurance products.
How "The AA" structured their privacy statement
- What kinds of personal information about you do we process?
- What is the source of your personal information?
- What do we use your personal data for?
- What are the legal grounds for our processing of your personal information (including when we share it with others)?
- When do we share your personal information with other organisations?
- How and when can you withdraw your consent?
- Is your personal information transferred outside the UK or the EEA?
- How do we share your information with credit reference agencies?
- How do we share your information with Fraud Prevention Agencies?
- What should you do if your personal information changes?
- Do you have to provide your personal information to us?
- Do we do any monitoring involving processing of your personal information?
- What about other automated decision making?
- For how long is your personal information retained by us?
- What are your rights under data protection laws?
- Your right to object
- What are your marketing preferences and what do they mean?
Under legitimate interests, it covers marketing communications specifically:
i) For direct marketing communications and related profiling to help us to offer you relevant products and services, including deciding whether or not to offer you certain products and service. We will send marketing to you by SMS, email, phone, post and social media and digital channels (for example, using Facebook Custom Audiences and Google Custom Match.
It’s interesting that it specifically mentions the options available from Facebook and Google to enable uploading of customer lists to find lookalike audiences and for retargeting based on email address.