You should include:
- Your business and contact information. Include your organisations’ (and DPO’s) full name, address and any other contract information.
- The categories of data you collect, how you collect it and the purpose of collecting it. Describe the categories of personal information collected, sold, shared and disclosed within the preceding 12 months, what types of information you collect, how you collect or source data and what you intend to do with your users’ data.
- The legal basis of data collection. Make sure it’s a legal basis that is listed out as an acceptable legal basis for collection by the GDPR.
- Consumer rights. Clearly describe the rights the user or data subject you are collecting data from possesses and how they can exercise these rights.
- Who you share personal information with. Disclose whether or not you sell personal information or have sold certain categories of personal information in the last 12 months.
- Whether the data will be transferred across borders and whether it’s voluntary or mandatory collection. Establish safeguards to enable a compliant data transfer and indicate what categories of collected data are required or optional.
- Your data retention policies, security measures and financial incentive programs. Explain how long you intend to retain users’ data and what criteria you will use to determine when you’ll delete that data.
Follow this checklist and enjoy the peace of mind that comes with it.