Anurag Chaudhary

Difference between Privacy Policy and Privacy Notice explained Privacy Policy According to IAPP (International Association of Privacy Professionals), a privacy policy is an internal statement, and it governs how an organisation or entity handles the personal data of consumers. A privacy policy is directed at employees/vendors or, in general, members of an organisation responsible for handling or making decisions regarding the collection, use, storage, and deletion of personal data. A privacy policy may also be called a data protection policy. Purpose of Privacy Policy ● ● A privacy policy asks employees/vendors to comply with the privacy standards, restrictions, individual/departmental roles and responsibilities. It helps an organisation define the permissible areas necessary for the development of privacy notice, based on which an organisation can tell external stakeholders about data-driven practices. ● A privacy policy acquaints employees with the laws and regulations and also guides them on staying compliant with the clauses of the privacy notice. Contents of a privacy policy A privacy policy typically consists of elements like: ● An effective date ● To whom the policy applies (employees/vendors) ● Type of information to deal with, such as electronic, paper, encrypted. ● Protection standards to abide by to keep users’ data safe ● Destruction standards to follow upon the termination of the contract with third parties ● Departments/executives to hash out questions and concerns ● Professional behaviour; repercussions of non-compliance Privacy notice According to IAPP, a privacy notice familiarises data subjects with how an organisation collects, uses, retains, and discloses their personal information. A privacy policy may also be referred to as a privacy statement, a fair processing statement, or a privacy policy. A privacy notice is an external statement made to users of a website. Purpose of Privacy Notice ● ● ● Data controllers use privacy notices at times when they collect personal information from data subjects. It’s a public declaration of how the data protection principles apply to data processed on a website. It unfolds into what information is collected, why it’s collected, and how the organisation stores, treats and shares consumers’ data. Contents required for Privacy Notice Contents of a privacy notice are from the following: ● Identity and contact details of the organisation ● Contact info of the organisation’s data protection officer (DPO) ● The intended purpose of data processing ● Timestamp of data, from collection to deletion ● Overseas data transfer information ● Lawful grounds for processing personal information ● Data subjects’ rights How to publicise privacy notice? A website should format concise, transparent, intelligible, and easily accessible privacy notice/statement in clear and plain language. This external statement to data subjects should generally appear as a pop-up, asking for their consent to categories that an enterprise finds fit for facilitating personalised website experiences as well as marketing and retargeting. A privacy notice can be communicated orally, in writing, through signage, and/or electronically. Stance of GDPR and CCPA on Privacy Notice The GDPR entitles an individual to eight data subject rights, which an organisation must explicitly explain in the privacy notice. These eight rights are right to be informed, right of access, right of rectification, right to be forgotten, right of portability, right to restrict processing, right to object, rights related to automated decision making (including profiling). CCPA refers to the obligation of a compatible data controller to provide consumers with explicit “notice” of how the data is collected, what types and categories of data are processed, why and how the data is processed, if and how data is shared with third parties, how consumers can retrieve the collected data, and company’s way of dealing with do not track settings. There are some exceptions to these regulations. All companies needn’t comply. These exemptions are based upon the company’s annual revenue, personal data collection capacity, and earning potential from the sale of data, etc. How do privacy policy and privacy notice differ? Although many websites use privacy policy and privacy notice interchangeably, it’s not technically sound to refer to a privacy notice as a privacy policy, and vice-versa. There is a narrow yet intelligible difference between the two that businesses need to understand. ● A simple difference between these two artefacts is how they are focused. Whereas a privacy policy is internally focused, privacy notice is a customer-facing facet of law. ● A privacy policy guides employees of an organisation into what they may--and may not--do with consumers’ personal information, whereas a privacy notice guides consumers, regulators, and other stakeholders into what an organisation does with their personal information. ● ● A privacy policy comprises more operational details than a privacy notice. A privacy policy discusses more significant details than a privacy notice, on how personal information is handled. While a privacy policy is directed at employees to make them “policy compliant” and strictly abide by laws and regulations, a privacy notice provides some flexibility to external stakeholders on the selection of cookie choices. Importance of privacy policy and privacy notice for organisations Privacy notice and privacy policy go hand in hand. These legal documents steer clear a website of unlawful damage and provide an edge over competitors in the long run. The importance of these documents varies with regional laws. However, amid the rapidly evolving stance of consumers towards data safety, it’s safe to say that transparency is the key to securing consumer trust, which makes it mandatory for an organisation to have a privacy policy and a privacy notice properly drafted. We at DataSecure endeavour to spread awareness regarding the protection of personal data on the internet and assist organisations to tune in with the privacy compliances. Get in touch to have your privacy documents reviewed.