You need to follow such steps:
- Take care of data protection. Taking consent from site visitors is not enough. It is important not to transfer information to third parties and physically protect it from leakage. Set passwords for computers and servers where you store information.
The document should include the following items:
- Definitions of terms. Automated processing, depersonalization of information, cross-border transfer — only part of the terms from the document. For visitors to understand what they mean, operators decipher them at the beginning of the PP.
- Operator information. Specify the name of the operator — an individual or organization that works with personal information. If the data about the operator changes, do not forget to update the PP on the site promptly.
- Reasons for obtaining data. List the documents that allow the processing of personal information: user agreement, links to regulatory legal acts, and so on. Add an action that permits the user to allow the collection of data. For example, offer to check the box next to the relevant notification.
- Purposes for collecting information. Explain why the site collects user data. For example, an online store is for placing orders and receiving marketing mailings, an information blog is for registering a personal account, and a company website is for personalizing content.
- The types of data that the operator collects. List any information the site asks users for or tracks through cookies. Do not include all kinds of personal information in this section just for show. For example, collecting users’ home addresses when registering on an online course site doesn’t make sense.
- The order of use. Explain how the operator works with the information received: collects, stores, refines, systematizes, or deletes data. List all actions so that users do not doubt the PC.
- Ensuring the security of information. Explain how the operator protects data received from site visitors: uses anti-virus programs and does not transfer information to third parties. Notify users that they have the right to withdraw consent to the processing of data, and tell them what to do for this, for example, send a written statement.
- Biometric data. Not all companies work with biometric data, but if they use them, then there should be an appropriate section in the regulation. It indicates the procedure for obtaining consent from the subject for the processing of information.
- Cross-border transfer. If the site operator transfers user information to individuals or organizations abroad, then an additional section is included in the policy. It defines the grounds and procedure for data transfer.