A few weeks back, I wrote about the ways in which organizations are addressing GDPR and data privacy overall. Whether you are a small nonprofit, large foundation or government agency, you need to have a solid privacy policy in place that gives your users the assurance that you respect and abide by their rights to data privacy. As you craft or update yours, here are some of the big ticket items that should be included.

List all the information you collect from your users

Be explicit, not general. List the specific places on your website, and elsewhere in your organization, where you collect personal information. A good practice is to describe where data is collected, followed by the information you collect. For example, “when you make a donation on our website, we collect your name and credit card information for this purpose.”

Share how you use your users’ information

GDPR says you need to have lawful basis for collecting and processing personal information. The two most likely lawful basis for that processing will be: (1) you’ve received explicit consent, or (2) you have a “legitimate business interest.”  A good privacy policy states your lawful basis for processing the data as well as how it is actually processed. For example, here’s how Global Giving describes how they use your data with regard to donations, and the legal basis for doing so:

“GlobalGiving uses the personal data that you provide or we obtain to process your donations, contact you regarding any questions related to your donation, mail gift cards related to your donation (if applicable), and ensure that Gift Aid can be claimed (if you are eligible). Use of this data is necessary for the performance of the contract between you and us in connection with your donation. If you do not provide the necessary data to us or our payment service provider, we will not be able to process your donation.”

Disclose with whom you share your users’ data

GDPR requires that you disclose to EU citizens to whom you are disclosing their information. This could be to technical partners (like an email list management company), governments (for some legal reporting purposes),  or any third party that may have access to the data your organization has collected.

Explain how your users can exercise their data rights

GDPR protects eight specific citizen rights to their data, and your privacy policy should say how they can exercise them with respect to your organization. Those rights are:

• Right to access
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Right to withdraw consent
• Right to lodge a complaint with the data protection authority

Be sure to say, in plain language, what users can do in order to exercise their rights. Best practices are to include links to forms, email addresses, or functions within your website.

Assure your users that you are protecting their data

There are two key things you should be doing to protect users’ data: (1) technically securing the data with modern encryption systems, and (2) having internal policy and procedures that dictate who, how and for what reasons they can access and/or use this data. Once your organization has put these steps into place, reassure your users of your approach by including them in your privacy policy.