Data Protection Diary December 2021

My Data Protection Diary: When your Privacy Policy Does Not Comply with the General Data Protection Regulation...

Welcome back to the last page of the 2021 'My Data Protection Diary'.

Another challenging year is now over... For each of us there will have been days full of success and others full of challenges that have accompanied us in during the seasons this year.

For the last page of my diary for 2021, I will talk about the news from the world of data protection that has fascinated and amazed me the most in the last 12 months.

Have you heard about the 'WhatApps case'? I am sure that 99% of you, however, use it daily, indeed it seems to be almost essential ... how many of you could live without it? I imagine, not many...

And if there have been a lot of challenges in the last 12 months for us all, the Irish supervisory authority (SA) have faced a fair few additional challenges…

WhatsApp is one of the most used apps in the world, allows its users to stay in touch wherever they are. At the end of the summer 2021, it was fined € 225 million for failing to comply with the basic principles of the General Data Protection Regulation (GDPR): WhatsApp had not adequately described its legitimate interests to data subjects for the processing of personal data, as required under article 13 (1) (d) of the GDPR.

Essentially, WhatsApp has been accused of a lack of transparency and lack of detail in the information provided in its Privacy Policy.

Wow... € 225 million fine for all of this!

Pen in hand and open ears, ready for my session with Kellie. Join us too, top tips and information from our expert is on its way.

G.P.: My first question for you, Kellie, may seem trivial... but apparently after the case of WhatsApp it isn't. What elements should a Privacy Policy contain?

K.P.: An excellent question I would say, given that the WhatsApp case was not the only one in this area during 2021.

The Privacy Policy is a document, which informs users about the processing of their personal data, and is often shared via the organisation's website or within their app, to make access easy for the majority of users.

The personal data referred to often includes the user's name, surname, or e-mail address, as well as any non-essential cookies, such as those used by Google Analytics.

Each Privacy Policy must contain:

  • The type of data collected (e.g. Name, e-mail);
  • The identity and contact information of the individual responsible for data protection within the organisation;
  • Details of any third parties who will have access to this data (e.g. Facebook, Google);
  • The purposes for which the data is collected (e.g. advertising, sending newsletters, statistics);
  • Users' rights.

In addition to this information, the document must be written in a concise and simple language. If WhatsApp is used by children (under the age of 18 in the UK), the information contained within the document must also be understandable to them.

G.P.: I believe that specific language is important, but I find simplicity of language essential. The latest generation Apps are used above all by young children and they, like us, must be aware of what is written in the Privacy Policy.

Creating a Policy which complies with GDPR requires detailed work from the organisation. When we do this, we work very closely with the team to ensure we understand what data processing takes place, and why, so that the policy correctly reflects their activities. The cost is not perceived to be competitive when compared with a template that can be purchased online and your company name inserted to make you ‘compliant’. What's the biggest risk Kellie?

K.P.: Excellent question, the template is a potential risk which could lead to authorities fining organizations. And why?

A template downloaded online is certainly more convenient, but the risk associated with its use is high, let's examine why:

  • The template is pre-prepared and therefore it is not relevant or tailored for all sectors, because the needs of your company will be different from those of another in another sector.
  • Not being tailored to you and your needs, your privacy policy would not then specify all your purposes for processing your customers' data, or may rely on incorrect legal bases. Therefore, the lack of accurate information and a lack of transparency may make your company non-compliant with the GDPR.

If the savings on the initial investment in adopting a ready-made template are high, non-compliance with the GDPR leads to larger fines, which cannot be compared to the purchase of a Privacy Policy tailored for you.

G.P.: From a marketing perspective, let me say that if you want your product or service to be high quality, you have to make sure that your processes also comply with regulatory standards and are professional.

People buy your brand and therefore the process behind it.

At the end of my chat session, Kellie could you list us which top tips to avoid fines like the case of WhatsApp?

K.P.: I love to share useful top tips, Giulia.

I will share the most essential ones from a data protection point of view:

  • Consider your audience and ask a professional to write your Privacy Policy, tailored to you and suited to the needs of your business.
  • Make sure your Privacy Policy is understandable to everyone. We have a Privacy Policy on our website, which is written in a style that is easier for young people to understand. Whilst we don’t target young people with our services, we recognise they may come across our website in some circumstances, researching for a school / college project for example. Check it out here
  • If you are tempted to download a ready-made template for its affordable price, remember that WhatsApp has been fined € 225 million for not complying with the GDPR.

It's not just about ticking a box though, proper consideration of the information you share with your stakeholders means you'll build a good, trusting relationship with them and they won’t be concerned about what you are going to do with their data.

Thanks Kellie for our last session together for this 2021.

It was nice to get useful information on current topics that interest us all.

Thanks to you who have read the pages of my 2021 diary ... stay tuned, something new is coming for 2022.

In the meantime, I hope you toast your successes this year and recharge your batteries ready for 2022.

Merry Christmas and Happy New Year!

Giulia xxx

The information and remarks provided in this article represent insight and guidance for best practice which is correct or valid or appropriate at time of publication.

Latest News & Events

What Is a Data Leak and How Do They Happen?

Data leaks are a serious problem for organisations and individuals. In this day and age, individuals freely provide personal information to organisations, therefore a data leak can have a significant impact on both the company and the person. They often involve the exposure of personal data (such as name, address and financial details), with additional damage to the company or organisation in terms of potential financial loss and reputational damage.

Read more

Register for News from Databasix

If you would like to stay up to date with the latest news and events from Databasix please click below, add your details and you will be added to our mailing list.

Contact Databasix

Tel 01235 838507

Databasix UK Ltd
is a registered company in England & Wales
Registration No. 08771007

Harwell Innovation Centre
Building 173
Curie Avenue
Harwell Oxford
OX11 0QG

Supported by Business Resilience secured by OxLEP Business
Supported by Business Resilience secured by OxLEP Business