The simple changes required to privacy notices under the GDPR

By Nigel Jones

Co Founder of The Privacy Compliance Hub

March 2018

What are ‘privacy notices’?

Let’s go back to basics – what is a privacy notice and what is it for? A privacy notice is an explanation of how an organisation handles personal information and what rights an individual has in relation to that information. The idea is that each individual should know what an organisation does with his or her personal information. If that individual doesn’t like what it reads in an organisation’s privacy notice, then he or she can choose not to share their personal information with that organisation.

What’s the difference between a privacy notice and a privacy policy?

The two terms are often used interchangeably but technically, privacy notices are public-facing documents, whereas privacy policies are often internal documents that explain data processing responsibilities to employees to maintain GDPR compliance.

What is the purpose of privacy notices?

Almost every website has a link to a privacy notice. More often than not it is tucked away in the footer of a web page. It’s probably fair to say that very few people actually read them. However, data protection regulators and consumer protection bodies are very concerned about what is in such policies, where they are found and how they are brought to the attention of individuals.

Under the General Data Protection Regulation (GDPR) that scrutiny has increased as did the number of things that had to be included in such privacy notices.

The GDPR strengthened the rights of individuals. One element of the regulation requires that privacy notices must include more information. Previously, regulators were frustrated with the number of vague, long and often complicated privacy notices, half hidden on websites which did not inform individuals as they should. The GDPR aims to give individuals genuine choices in relation to how organisations process their personal information.

How has the GDPR changed organisations’ approach to privacy notices?

Due to the GDPR, organisations are now a lot more careful about what they put in privacy notices and where and when they display them. Individuals are also a lot more savvy about their rights and, in our experience, are much more likely to challenge organisations in relation to their policies and the manner in which they process personal information. As data protection specialists, we have extensive experience in overcoming these challenges. Read more about us here.

Organisations are taking steps to ensure that privacy notices are true, concise, transparent, intelligible and easily accessible. In other words, they are not writing them in complex legal language and are making them easy to find. They are using what are called ‘just in time notices’ which point out to an individual what they are going to do with that individual’s personal information at the time that individual provides it.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

What should be included in a privacy notice?

The following should be included:

  • Name and contact details of the controller and their representative (eg. the data protection officer).
  • The purpose of the processing and the legal basis for it (eg. we need your address to deliver goods to you in line with the contract between us).
  • Any legitimate interests for processing (eg. we use Royal Mail to deliver your goods and it is in our legitimate interest to pass your address details to them for that purpose).
  • The categories of personal information processed (eg. name, address and credit card details).
  • Any organisations the personal information is shared with (eg. sharing of IP address with Google Analytics).
  • Details of transfers of personal information outside the EEA.
  • How long the personal information is kept for (eg. for 12 months after an individual ceases using the services).
  • Information on all an individual’s rights (eg. their right to erasure of their personal information).
  • Information on an individual’s right to withdraw consent to processing.
  • Information on an individual’s right to complain to the regulator.
  • Where the individual’s personal information came from (eg from a third party cookie).
  • Whether the individual has to provide the personal information as a matter of law (eg. a national insurance number so they can get paid).
  • Details on any automatic decision making carried out using the personal information (eg. use of bank transaction data to determine a loan application).

How often should a privacy notice be updated?

You should review and update your privacy notice regularly to make sure it still reflects your current data processing activities. It may need to be updated to include a new product or service, cover sharing data with a new partner or vendor, or detail whether you’re using data in another new way. At a minimum, you should review your privacy notice at least once a year.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

Making sure your organisation’s privacy notice is compliant

Carry out an inventory of what personal information your organisation processes. You need to know what you have got, what you do with it, who you share it with, how long you keep it and what you do with it when you no longer need it. Only once you have carried out this review will you be able to move onto the next step of reviewing your privacy policies. These policies need to reflect the information you have gathered in your inventory process and follow the requirements of the GDPR.

One of our clients is an educational app platform. Its users are children and their teachers. As children need to understand their privacy policy, they decided that children should write their privacy policy. That way, instead of writing a complicated policy and having to make it simple, they started with a simple policy and worked it up to include everything that the GDPR requires (as well as probably correcting a few spelling mistakes!).

How the Privacy Compliance Hub can help

The Privacy Compliance Hub includes over 30 template documents (including privacy notices and audit questionnaires) to assist a company in complying with data protection law, including the GDPR. It provides these templates as part of a comprehensive compliance product which enables an organisation to build, maintain and demonstrate its data protection compliance.

If you would like to discover more, watch the video available on our website, or get in touch using the contact section below. We’d love to hear from you!

More to watch and read