What is the ideal privacy policy for your company?
Is there an ideal and foolproof Privacy Policy?
This is one of the most difficult questions to answer nowadays. Especially considering all the jurisprudence already established in Europe with the GDPR, the extensive history of cases, and the numerous tips we see in the market. Not to mention the judicial decisions that are already emerging in Brazil with the LGPD.
I'll answer you promptly: No. And I'll help you understand why.
I believe it is possible to develop a line of reasoning that can assist each one of us entrepreneurs, DPOs, lawyers, third-party consultants, etc. Ultimately, everyone can have a clear understanding of how the game works to avoid being caught off guard.
Below is the logic behind a privacy policy and some principles to help you understand the game. Perhaps even assist you in adapting your company and addressing any doubts that may arise along the way.
What makes a privacy policy better or worse?
To be as straightforward as possible: Does it accurately reflect the reality of data usage and flow within the company?
Here is the key to understanding any privacy policy: It must truthfully reflect the motivations and data flow in the company's routines.
Therefore, before we evaluate the quality of a privacy policy, it is essential to understand why it exists and its purpose. Is it becoming clearer?
In a simple and direct manner, I would highlight that a company's privacy policy is:
A public declaration of the objectives, interests, and responsibilities that companies have regarding the use and application of data, especially personal data, for the execution of their business model.
In other words, the guidelines provided in the privacy policy give us a real understanding of how that business operates regarding data usage and the actual commercial and/or legal purposes for which the data is used.
What do I need to know and map out to create my Privacy Policy?
In essence, it is not possible to structure a privacy policy without understanding the foundations of the business. Don't worry, I'm not complicating things for the sake of it, but rather showing you that without this knowledge, even a lawyer charging thousands of dollars per hour won't be able to assist you.
By the way, a good piece of information for you is that the privacy policy does not necessarily need to be written by a lawyer or in "legalese." According to the LGPD, before anything else, it must be clear, educational, and easily readable for the data subject. So, whether it's you, your lawyer, or anyone who understands the processes, purposes, or legislation of your market, it's all good. Prioritize readability, clarity, and the ability for any visitor or customer accessing your platforms to understand and interpret the information.
However, it is worth noting that we recommend at least seeking advice from a lawyer. There are certain criteria and potential complexities in the market that they can assist you with more adeptly. For example, the healthcare industry has specific legislation that already treats patient data differently, and therefore, it may sometimes supersede LGPD requirements.
We are in Brazil, my friend, so, as usual, everything depends on the specific circumstances.
Anyway, let's go through the essential points you need to know to create any privacy policy. Points such as:
3.### Relevant laws governing the activities of players in the market;
4.### Product and/or service portfolio;
5.### Revenue streams and distribution channels;
6.### Basic understanding of the company's organizational structure; (Headquarters and branches, size, number of departments involved, decision-making hierarchy, etc.)
7.### Supply chain;
8.### Sales and after-sales service;
9.### Communication channels; ...
Without this initial detailed understanding, the privacy policy will be incomplete and consequently flawed.
For example, what good does it do if I state that I use data on Facebook, collect addresses, emails, and CPF (Brazilian individual taxpayer registry number) for signing up for my plan and for email marketing, with data disposal in case of opt-out, if there is a legislation in my market that requires me to store this data beyond the data subject's requests?
I believe it is clear now how much information we need to consider. However, this should not discourage you! In fact, it is precisely the knowledge of these processes, or in other words, the understanding of the entire operation, that will give you greater confidence to determine whether the privacy policy is "good" or not. Again, it must reflect the reality and day-to-day operations of the company.
One of the tools/processes that can help you confidently structure the privacy policy is Data Mapping. If you don't have one yet or haven't considered implementing it, I'll summarize it for you in the link below.
Data Mapping: The Life Jacket for LGPD
Tags
Related posts
Understand the legal bases of the LGPD
At the beginning of everything are the legal bases of the LGPD, that is, the legal grounds (legitimate reasons) why companies not only can, but must access customer data in order to do their jobs well.
Understand the meaning of the LGPD for your company
Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?
Why are cookie banners everywhere?
Want to understand why there are cookie banners on every website you visit today? This article is for you!
How to delete cookies and cache in Chrome and other browsers?
Tired of the ads from that site you visited following you around? Is your computer running slow when accessing a particular website? Want to delete all cookies from a specific service or site?
LGPD and Cookies all do you need to know?
In this article, you will have a great introduction to the topic, as well as various other variations that revolve around the subject: Cookies and LGPD.
Fines in LGPD - What are they, amounts, and compliance deadlines
In this article, we will answer all your questions regarding fines under the LGPD (Brazil's General Data Protection Law).
10 Marketing Processes You Should Rethink under the LGPD!
In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.
Key Differences between LGPD and GDPR and the Impact on Internet Cookies
While both regulations share the goal of safeguarding individuals' rights regarding the processing of their personal data, there are some important differences between them. It is crucial to understand these distinctions and their implications, particularly in the context of internet cookies.
How to choose a Cookie Banner for your website
What are the criteria for this choice, and what are the strengths and weaknesses of each option? Well, we're here to help you because this decision needs to be well thought out!
Best practices in tag categorization
It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.
What is a privacy policy?
While it's not exactly breaking news, discussions about privacy policies have been popping up more frequently since the start of GDPR in Europe. And despite it seeming coincidental, it's not!
What are Terms of Use and their importance for the LGPD?
Ignoring Terms of Use and their significance within a website, particularly now with LGPD, is a common mistake that both consumers and website owners frequently commit.
ROPA in LGPD? Get to Know the Records of Processing Activities.
Brazilian LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them are imported from other countries and regulations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.
AdOpt
Resources
Legal Terms
© GO ADOPT, LLC since 2020 • Made by people who love
🍪