What are ‘privacy notices’?

Let’s go back to basics – what is a privacy notice and what is it for? A privacy notice is an explanation of how an organisation handles personal information and what rights an individual has in relation to that information. The idea is that each individual should know what an organisation does with his or her personal information. If that individual doesn’t like what it reads in an organisation’s privacy notice, then he or she can choose not to share their personal information with that organisation.

What is the purpose of privacy notices?

Almost every website has a link to a privacy policy. More often than not it is tucked away in the footer of a web page. It’s probably fair to say that very few people actually read them. However, even under the existing law, data protection regulators and consumer protection bodies are very concerned about what is in such policies, where they are found and how they are brought to the attention of individuals.

Under the General Data Protection Regulation (GDPR) due to come into force on 25th May 2018, that scrutiny is going to increase as are the number of things that have to be included in such policies (or privacy notices as they are also known).

The GDPR strengthens the rights of individuals. One element of the regulation requires that privacy notices must include more information. The regulators were frustrated with the number of vague, long and often complicated privacy notices, half hidden on websites which did not inform individuals as they should. The GDPR aims to give individuals genuine choices in relation to how organisations process their personal information.

How has the GDPR changed organisations’ approach to privacy notices?

Due to the GDPR, organisations are now a lot more careful about what they put in privacy notices and where and when they display them. Individuals are also a lot more savvy about their rights and, in our experience, are much more likely to challenge organisations in relation to their policies and the manner in which they process personal information. As data protection specialists, we have extensive experience in overcoming these challenges. Read more about us here.

Organisations are taking steps to ensure that privacy notices are true, concise, transparent, intelligible and easily accessible. In other words, they are not writing them in complex legal language and are making them easy to find. They are using what are called ‘just in time notices’ which point out to an individual what they are going to do with that individual’s personal information at the time that individual provides it.

What should be included in a privacy notice?

The following should be included:

  • Name and contact details of the controller and their representative (eg. the data protection officer).
  • The purpose of the processing and the legal basis for it (eg. we need your address to deliver goods to you in line with the contract between us).
  • Any legitimate interests for processing (eg. we use Royal Mail to deliver your goods and it is in our legitimate interest to pass your address details to them for that purpose).
  • The categories of personal information processed (eg. name, address and credit card details).
  • Any organisations the personal information is shared with (eg. sharing of IP address with Google Analytics).
  • Details of transfers of personal information outside the EEA (eg. storage with a cloud hosting provider based in the USA which is Privacy Shield certified).
  • How long the personal information is kept for (eg. for 12 months after an individual ceases using the services).
  • Information on all an individual’s rights (eg. their right to erasure of their personal information).
  • Information on an individual’s right to withdraw consent to processing.
  • Information on an individual’s right to complain to the regulator.
  • Where the individual’s personal information came from (eg from a third party cookie).
  • Whether the individual has to provide the personal information as a matter of law (eg. a national insurance number so they can get paid).
  • Details on any automatic decision making carried out using the personal information (eg. use of bank transaction data to determine a loan application).

Making sure your organisation’s privacy notice is compliant

Carry out an inventory of what personal information your organisation processes. You need to know what you have got, what you do with it, who you share it with, how long you keep it and what you do with it when you no longer need it. Only once you have carried out this review will you be able to move onto the next step of reviewing your privacy policies. These policies need to reflect the information you have gathered in your inventory process and follow the new requirements of the GDPR.

One of our clients is an educational app platform. Its users are children and their teachers. As children need to understand their privacy policy, they decided that children should write their privacy policy. That way, instead of writing a complicated policy and having to make it simple, they started with a simple policy and worked it up to include everything that the GDPR requires (as well as probably correcting a few spelling mistakes!).

How The Privacy Compliance Hub can help

The Privacy Compliance Hub includes over 30 template documents (including privacy notices and audit questionnaires) to assist a company in complying with data protection law, including the GDPR. It provides these templates as part of a comprehensive compliance product which enables an organisation to build, maintain and demonstrate its data protection compliance.

If you would like to discover more, watch the video available on our website, or get in touch using the contact section below. We’d love to hear from you!