News & Blog

Robust Privacy Policies in Place, Are You Enforcing Them?

Privacy Policy Gaps- How Email Archiving and Retention can help fill them. You posted your Privacy Policy online and sent a communication

Privacy Policy Gaps- How Email Archiving and Retention can help fill them.

You posted your Privacy Policy online and sent a communication out to your network ….Great. Unfortunately, that was 3 years ago and now it is time to evaluate where the Gaps are in your Privacy Policy.

After the GDPR (General Data Protection Regulation) came into force in May 2018, all organisations with a public-facing website took action to ensure their website complied with the GDPR by distributing a privacy notice/policy on their website. Articles 12, 13 and 14 of the GDPR (as well as others) include rules on giving private information to data subjects.  

The CCPA requires business privacy policies to include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination.

The fear of massive fines and reputation damage got many organisations to publish privacy notices on their website by the deadline date. Some organisations outsourced expensive consultants and hired extra staff, while many others downloaded simple templates from the internet to tick this box. But putting up a Privacy Policy is just not enough, Privacy Policy Gaps are appearing, are we doing what we say we are doing.

So, what is a privacy notice/policy?

A privacy notice/ policy is a document that organisations give to individuals to explain how their personal data is processed, it should outline how the company manages their data. It has two aims: to promote transparency and to give individuals more control over the way their data is collected and used.

Transparency is a key principle of the GDPR, as it prevents organisations from processing personal data without data subjects’ knowledge or approval.

Privacy policies are in place but are you complying with your own statement?

Organisations are making progress in being clear about how users’ personal data is being protected. Companies are disclosing what information is being collected, how long it is being kept, and who it is shared with. But the good news for most companies stops there. Organisations are seriously lagging when it comes to transparency, there are many gaps between what a company’s privacy policy says and what is being enforced.

The feared wave of fines did not materialize in 2018, however we are now three years in, and fines are being imposed. The residential property company, Deutsche Wohnen, was fined the largest amount ever in Germany for a data protection violation: 14.5 million euros. The reason for this enormous sum was the archiving system used throughout the company, which did not provide any possibility for the deletion of data that the company no longer required.

Among EU member states, the highest individual GDPR fines were issued by France, Germany, and Italy.

Are there gaps in YOUR privacy policy?

Consider the following questions.

  • How does your company ensure they are not keeping personal data for longer than its needed?
  • How do you review the data you hold and erase it when you no longer need it?
  • How are your retention periods managed?

If you are unsure how to answer any of the above questions, then you are at risk at not complying to GDPR and are putting your organisation at risk.

The Compliance Challenge checklist- are you complying with the following?-

Can you step up to the challenge, see how many boxes below you can tick*. This challenge will help identify the gaps in your privacy policy.


The GDPR alongside other Government, federal, state and industry regulations require organisations to retain digital communication data for potential review and retrieval.

☐ We know what personal data we hold and why we need it.

☐ We carefully consider and can justify how long we keep personal data.

☐ We have a policy with standard retention periods where possible, in line with documentation obligations.

☐ We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.

Storage Limitation– Deletion

Are you disposing of data in the correct required period? Without a proper compliance strategy and archiving software, organisations tend to hold onto email and file data way beyond the periods mandated by retention requirements.

☐ We regularly review our information and erase or anonymise personal data when we no longer need it.

☐ We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten.

Data Minimisation

Data minimisation requires businesses to process only ‘adequate, relevant and limited’ personal data that is ‘necessary’ which means the businesses need a solution that has the ability to meet the demands of the GDPR.

☐ We only collect personal data we need for our specified purposes.

☐ We have sufficient personal data to properly fulfil those purposes.

☐ We periodically review the data we hold and delete anything we do not need.

If you are unable to tick all the boxes above, you are potentially exposing your organisation to the risk of non-compliance with GDPR and many other data protection legislation.

Do you update your privacy policy to update your data practices?

When was the last time you updated your Privacy Policy? Was it when you wrote it? If so, your policy is likely due for a tune-up.

Only your company knows whether your Privacy Policy truly reflects your data practices, but your customers might get an inkling sooner than you think, particularly in our increasingly privacy-conscious culture.

All in all, you want to be sure that your Privacy Policy reflects both your data practices and your customer’s privacy expectations. If you can do that, you are more likely to write a meaningful Privacy Policy as well as one that complies with existing and future privacy legislation.

The cost of compliance goes well beyond the regulatory fines that we see in the news, it can also include, reputation damage, recovery plan implementation, eDiscovery costs, costs of diagnosing the source or loss of a breach and notification costs.

The Solution

An archiving solution that fulfils all requirements has low administration costs, and has a team of data management experts on hand is Waterford Technologies. Waterford Technologies is a pro-active Email and File Compliance and Management focused solutions provider. We have vast experience in helping our clients meet their compliance requirements, reducing risk, and addressing eDiscovery requests easily, quickly, and successfully. Our teams of experts will help you evaluate your Privacy Policy and identify the gaps around data retention, deletion and minimisation. Talk to us today.