A global investigation by data protection regulators, including the UK’s ICO, found that website’s privacy policies tended to be inadequate in providing the information visitors to the sites need to understand how their data is collected and processed.
The ICO reviewed 30 websites in the UK and found:
- 26 out of the 30 didn’t specify how and where data would be stored
- Detail about international transfer of data (i.e. outside the EEA) was often unclear
- 26 out of the 30 failed to specify whether they share data with third parties
- Only 6 made reference to a data retention policy
- 24 sites failed to provide information about how to delete or remove their personal data from the site
- 7 sites failed to mention details about how to access data via subject access requests
With GDPR looming on the regulatory landscape (25th May 2018), Privacy Policies have a key role to play in any organisations “accountability” obligations under the regulation. Plus Article 13 (Data Subjects “right to be informed”) sets out exactly what Data Subjects should be told about data collected, the organisation collecting the data and other important information.
ICO’s Intelligence and Research Group Manager, Adam Stevens concluded in their news piece:
The GDPR is coming in May 2018 and from what we’ve found so far, organisations which want to do business or operate in the EEA have a lot of work to do if they don’t want to be breaking the new law.