Instead of unity, we now have new long reference documents missing the intrinsic content of what the GDPR was supposed to bring. Instead of a transparent list in an easy to read format, we now have legal speak trying to masquerade how companies make profit from your data.
You should already know how you handle data. Imagine you’ve gone out to a corporate networking event and having had a few beverages, you find yourself talking to someone who knows nothing about your business nor IT. In a slightly tipsy way (I may have under sold the ‘few beverages’) could you describe where your data goes? Who else gets access to a copy and how they will use it? Imagine trying to describe it in this most simplistic way in a way that someone who might not be fully capable of receiving/remembering the information as you provide it.
The way you describe your services and how you gain consent are not just a requirement of the GDPR but have been legal requirements for more than 20 years. The Privacy and Electric Communications Regulation (PECR) was born in 2003 and amended in 2004, 2011, 2015 and 2016. The biggest of these changes came in 2011 (back when I was working on one of the UK’s biggest websites that handled medical data). What most people dubbed ‘the cookie law’, it went to great measures to describe how businesses must describe how they gather information and how they must describe its use.
So what is good?
Policies are meant to be interpretations of law, readable by all and not binding contracts only understandable by those in the legal professional.
Paying for visual advertising