Under the General Data Protection Regulation (GDPR), organisations must create a privacy notice explaining to individuals how their personal information is used.
But what is a privacy notice, and what should it contain? We explain everything you need to know in this blog – along with a GDPR statement example.
What is a privacy notice?
A privacy notice is one of several documents required under UK data protection law.
Unlike many of these documents, which are strictly internal, a privacy notice is provided to customers and other interested parties. It is designed to explain how the organisation processes their personal data.
There are two reasons for doing this. First, it offers transparency about how personal data is being used, ensuring a level of trust between the organisation and the individual.
Second, it gives individuals more control over how their data is used. If there’s something they aren’t happy with, they can submit a DSAR (data subject access request) or ask the organisation to suspend that processing activity.
How to write a privacy notice
Article 30 of the GDPR explains that a compliant document should include the following details:
1) Contact details
The first thing to include in your privacy notice is your organisation’s name, address, email address and telephone number.
If you’ve appointed a DPO (data protection officer) or an EU/UK representative, you should also include their contact details.
2) The types of personal data you process
The definition of personal data is a lot broader than you might think. You must therefore ensure you’ve included everything necessary, and provided appropriate detail.
For example, instead of just saying ‘financial information’, state whether it’s account numbers, credit card numbers, etc.
You should also outline where you obtained the information if it wasn’t provided by the data subject directly.
For an idea of what this might look like, take a look at our privacy notice template:
Be as specific as possible about the type of information you collect and how you obtained it.
3) Lawful basis for processing personal data
Under the GDPR, organisations can only process personal data if there is a lawful basis for doing so. Your privacy policy should specify which one you’re relying on for each processing purpose.
If you are relying on legitimate interests, you must describe them. Likewise, if you’re relying on consent, you should state that it can be withdrawn at any time.
Remember that there are specific rules for processing special categories of personal data.
4) How you process personal data
You must explain whether you will be transferring personal data to third parties.
We suggest specifying how you will protect shared data, particularly when the third party is based outside the EU.
You might be required to state whether data will be shared with organisations based outside the EU.
5) How long you’ll be keeping their data
The GDPR states that you can only retain personal data for as long as the legal basis for processing is applicable.
In most cases, that will be easy to determine. For example, if you are required to process the personal data to fulfil contractual requirements, you should keep the information for as long as you perform the task for which the contract relates.
Likewise, organisations should hold on to any personal data processed to fulfil a legal obligation or public task for as long as those activities are relevant.
Things are trickier with consent and legitimate interests, as there may not be a clear point at which those activities end.
As such, we recommend reviewing your data retention practices at least every two years.
6) Data subject rights
The GDPR gives individuals eight data subject rights, which you should list and explain in your privacy notice:
- Right to be informed: organisations must tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
- Right of access: individuals have the right to request a copy of the information that an organisation holds on them.
- Right of rectification: individuals can correct inaccurate or incomplete data.
- Right to be forgotten: in certain circumstances, individuals can ask organisations to erase any personal data stored on them.
- Right of portability: in some circumstances, individuals can request that an organisation transfers their personal data to another company.
- Right to restrict processing: in some circumstances, individuals can request that an organisation limits its use of personal data.
- Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.
- Rights related to automated decision making, including profiling: in most circumstances, individuals have the right to object to activities where automatic decisions are made based on their personal data.
Create your own privacy notice with our template
You can find everything you need to create a GDPR-compliant privacy policy with our template.
Our template privacy notice includes annotations to ensure you meet the GDPR’s requirements.
This GDPR template, created by data protection experts, helps you quickly create a privacy notice that meets the Regulation’s requirements.
Is a privacy notice the same as a privacy policy?
Although they cover many of the same topics, you shouldn’t confuse privacy notices with privacy policies.
In the context of the GDPR, a privacy notice is a publicly accessible document produced for data subjects.
By contrast, a GDPR privacy policy is an internal document explaining the organisation’s obligations and practices for meeting its compliance requirements.
When should you provide a GDPR privacy notice?
Data controllers must provide a privacy notice whenever they obtain a data subject’s personal information.
The only times this isn’t necessary are when:
- The data subject already has the information provided in the privacy notice;
- It would be impossible or involve a disproportionate effort to provide such information;
- The organisation is legally required to obtain the information; or
- The personal data must remain confidential, subject to an obligation of professional secrecy.
When an organisation obtains personal information from a third party, it must provide a privacy notice within a month.
This should be done the first time the organisation communicates with the data subject or when the personal data is first shared with another recipient.
The easiest way to provide a privacy notice is to post it on your website and link to it whenever appropriate.
If you don’t have a website, you should make a physical copy of your privacy policy available.
Writing your privacy notice
Your privacy policy must be written in clear and straightforward language that data subjects can easily understand.
This is particularly important when processing children’s personal data, as there are many concepts that you’ll have to explain in more detail.
In general, privacy policies should be written in the active voice and avoid unnecessary legalese and technical terminology.
Likewise, you should avoid qualifiers such as ‘may’, ‘might’, ‘some’ and ‘often’, as they are purposefully vague. Saying you ‘may’ do something doesn’t help the data subject work out under what circumstances it will happen.
Finally, the policy should be free of charge and easily accessible. Don’t hide it in a link at the bottom of a form where few people will see it.
Instead, you should provide the policy to them in writing or link to it when asking for their personal data.
Take the guesswork out of your privacy notice
Looking for more advice on GDPR compliance? You can find all the documentation you need with our GDPR Toolkit.
Written by lawyers and expert practitioners, it’s the most comprehensive toolkit on the market containing all the GDPR policies and procedures you need to demonstrate compliance while significantly reducing your implementation costs.
More than 3,000 organisations worldwide use our GDPR toolkit to simplify and accelerate their project. If you need help achieving GDPR compliance, this toolkit is for you.
A version of this blog was originally published on 8 November 2018.
No Responses