What are ‘privacy notices’?
Let’s go back to basics – what is a privacy notice and what is it for? A privacy notice is an explanation of how an organisation handles personal information and what rights an individual has in relation to that information. The idea is that each individual should know what an organisation does with his or her personal information. If that individual doesn’t like what it reads in an organisation’s privacy notice, then he or she can choose not to share their personal information with that organisation.
The two terms are often used interchangeably but technically, privacy notices are public-facing documents, whereas privacy policies are often internal documents that explain data processing responsibilities to employees to maintain GDPR compliance.
What is the purpose of privacy notices?
Almost every website has a link to a privacy notice. More often than not it is tucked away in the footer of a web page. It’s probably fair to say that very few people actually read them. However, data protection regulators and consumer protection bodies are very concerned about what is in such policies, where they are found and how they are brought to the attention of individuals.
Under the General Data Protection Regulation (GDPR) that scrutiny has increased as did the number of things that had to be included in such privacy notices.
The GDPR strengthened the rights of individuals. One element of the regulation requires that privacy notices must include more information. Previously, regulators were frustrated with the number of vague, long and often complicated privacy notices, half hidden on websites which did not inform individuals as they should. The GDPR aims to give individuals genuine choices in relation to how organisations process their personal information.
How has the GDPR changed organisations’ approach to privacy notices?
Due to the GDPR, organisations are now a lot more careful about what they put in privacy notices and where and when they display them. Individuals are also a lot more savvy about their rights and, in our experience, are much more likely to challenge organisations in relation to their policies and the manner in which they process personal information. As data protection specialists, we have extensive experience in overcoming these challenges. Read more about us here.
Organisations are taking steps to ensure that privacy notices are true, concise, transparent, intelligible and easily accessible. In other words, they are not writing them in complex legal language and are making them easy to find. They are using what are called ‘just in time notices’ which point out to an individual what they are going to do with that individual’s personal information at the time that individual provides it.
What should be included in a privacy notice?
The following should be included:
- Name and contact details of the controller and their representative (eg. the data protection officer).
- The purpose of the processing and the legal basis for it (eg. we need your address to deliver goods to you in line with the contract between us).
- Any legitimate interests for processing (eg. we use Royal Mail to deliver your goods and it is in our legitimate interest to pass your address details to them for that purpose).
- The categories of personal information processed (eg. name, address and credit card details).
- Any organisations the personal information is shared with (eg. sharing of IP address with Google Analytics).
- Details of transfers of personal information outside the EEA.
- How long the personal information is kept for (eg. for 12 months after an individual ceases using the services).
- Information on all an individual’s rights (eg. their right to erasure of their personal information).
- Information on an individual’s right to withdraw consent to processing.
- Information on an individual’s right to complain to the regulator.
- Where the individual’s personal information came from (eg from a third party cookie).
- Whether the individual has to provide the personal information as a matter of law (eg. a national insurance number so they can get paid).
- Details on any automatic decision making carried out using the personal information (eg. use of bank transaction data to determine a loan application).
How often should a privacy notice be updated?
You should review and update your privacy notice regularly to make sure it still reflects your current data processing activities. It may need to be updated to include a new product or service, cover sharing data with a new partner or vendor, or detail whether you’re using data in another new way. At a minimum, you should review your privacy notice at least once a year.
Making sure your organisation’s privacy notice is compliant
Carry out an inventory of what personal information your organisation processes. You need to know what you have got, what you do with it, who you share it with, how long you keep it and what you do with it when you no longer need it. Only once you have carried out this review will you be able to move onto the next step of reviewing your privacy policies. These policies need to reflect the information you have gathered in your inventory process and follow the requirements of the GDPR.
How the Privacy Compliance Hub can help
The Privacy Compliance Hub includes over 30 template documents (including privacy notices and audit questionnaires) to assist a company in complying with data protection law, including the GDPR. It provides these templates as part of a comprehensive compliance product which enables an organisation to build, maintain and demonstrate its data protection compliance.
If you would like to discover more, watch the video available on our website, or get in touch using the contact section below. We’d love to hear from you!