At the moment, when your organisation collects people’s personal data your privacy notice needs to tell them who you are and how you plan to use their data. Under the GDPR your privacy notice must contain some additional information. You need to communicate your legal basis for processing data, your data retention periods and you must inform people that they have a right to complain to the Information Commissioner’s Office (ICO) if they are unhappy with the way you are handling their data.
Transparency and Clarity
It will no longer be good enough to provide a link to a long-winded privacy notice that hardly anybody reads. The GDPR says that companies must:
- write information in a concise, transparent way
- use plain language, particularly if the recipient is a child
- provide this information free of charge.
The ICO say: ‘being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.’
The Big Issue
How do you share your privacy notice with the data subject when you didn’t obtain personal data from them directly? Under the GDPR you are required to provide these people with privacy information just as you would if you had collected the data directly. Obviously, this is tricky. The ICO recommends carrying out a privacy impact assessment (PIA) which is a method of assessing and alleviating privacy risks.
If you are working with a repeat customer who is simply renewing your service you don’t need to re-issue your privacy notice unless some aspect has changed. There’s no need to send information twice.
Example Privacy Notice
Before writing a privacy notice consider:
- What information is being collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What effect will your data processing and sharing activities have on the data subject?
- Is the intended use likely to raise complaints?
Here is a basic outline of a privacy notice layout:
Jane Jones Industries Ltd will be the controller of the personal data you provide (the ‘data controller’). We only collect personal data that is necessary to provide you with our service. This includes your name, address, email and phone number.
Why we need your data
We need your basic personal data so that we can provide you with our charity updates. We never collect any data that we don’t need to provide this service.
What we do with your data
All personal data is processed in our UK office. No third parties have access to your personal data unless the law states otherwise. We have a data protection system in place to manage the effective and secure processing of your personal data. You can view our data protection policy on our website: http://www.JaneJonesIndustries.co.uk/data protection policy.
How long we keep your data
We only keep your personal data for as long as you wish to receive charity updates from us. We will keep your information until you notify us that you no longer wish to receive charity updates. To cancel updates email: email@example.com.
What we would also like to do with your data
With your permission, we would like to use your name, address and email address to inform you about charity events. Please visit our website to subscribe to this service. Your personal data is not shared with third parties and you can unsubscribe to charity event news at any time by telephone, email or via our website.
What are your rights?
You have a right to see the personal data we hold about you and to have it corrected or deleted. If you wish to raise a complaint about the way in which we have handled your personal data you can contact us to have the matter investigated: complaints@JaneJones.co.uk.
If you are not satisfied with our response to your complaint then you can complain to the Information Commissioner’s Office (ICO): https://ico.org.uk/concerns/.
For more details visit the ICO’s website.
Depending upon the nature of your business, your privacy notice may need to contain a lot of detailed information. You can meet the GDPR’s requirement to make this information accessible to your data subjects by ‘layering’. Layering means that you write a concise paragraph or two under the headings in your privacy notice, finishing each section with a hyperlink: ‘please follow this link for further information’. That way, the data subject hasn’t been overwhelmed by the information in your privacy notice but has been given the opportunity to delve into more detail.
Our on-site GDPR Awareness course explores the concept of ‘privacy’ and the other key requirements of the GDPR in detail. It’s a cost effective way of getting employees of all grades up to speed with the new legislation’s requirements. Contact us for more details or to discuss the specific needs of your business.