On your site you should have a page called 'Privacy Policy' that outlines the following points. It can be in a bulleted format or a short paragraph as long as you're clear, specific and thorough.
It must be said:
- what data you're collecting
- why you need the data
- how the data will be used
- who will see it
- if that data will be transferred to a recipient outside the EU
- how long you intend to keep it for (which cannot be indefinite, and must be minimized where possible)
This includes any information about a user. Examples include: email addresses, IP addresses (always include this, they're always collected), names, usernames, passwords, security questions, or user preferences, etc.
All data collected should be stored securely and safeguarded against data breaches. A statement that the data is securely stored should be mentioned in the privacy policy. The data collected must be relevant to its necessary purpose.
The user needs to be able to:
- access the data collected upon request
- correct any incorrect data you may have
- request that you to delete all personal data about them you have on hand
The user should be aware how to do this. Over email is fine.
Third-party data:
Keep in mind that sometimes your sites will be exchanging data with third parties (perhaps without you knowing). This is often the case with Google and Facebook, as they make a lot of the elements you can find on webpages. As such, list which companies are collecting what data. This is quite technical and could perhaps be difficult to do thoroughly. If you need some help, feel free to contact the team and we can walk you through it.
Here are some potentially useful links on the GDPR: