The GDPR gives individuals the right to be informed about the collection and use of their personal data. This ties in with data controller’s obligations to provide “fair processing information”. The GDPR imposes upon data controllers a requirement to be transparent about how they are going to use personal data and their justifications for doing so. It specifies the information which must be provided to individuals - which will often be done using a privacy notice or policy - and also the manner in which it is to be supplied.
Being transparent about how you plan to use and store personal data is now going to be a fundamental part of data protection law. Data subjects – those whose personal data is being processed – must be told, very clearly, how their personal data is going to be used, by whom, for what purpose and for how long. This information must be clearly set out, easily accessible to and easy to understand. The most common way to provide this information to individuals is in a privacy notice.
It is therefore important for businesses to review, and amend as appropriate, the privacy notices that they are using to ensure that they are sufficient and meet the requirements of the GDPR. To assist in that process, the Information Commissioner’s Office (“ICO”) (the UK’s data privacy supervisory body) has drawn up a number of useful Codes of Practice for businesses to help contribute to compliance with data protection law. They have created a privacy notice code of practice containing recommendations on how to develop an effective and clear privacy notice. Developing and using a clear and effective privacy notice will be a contributing factor when assessing an organisation’s GDPR compliance.
The ICO suggest that often using a combination of techniques to present all the required information to individuals is likely to be the best practice. The techniques chosen must be tailored to your specific business needs, the information that you are providing and your target audience. The techniques chosen should as far as possible maximise the control and choice that individuals have over how their personal data is used. This can include for example integrating preference management tools, such as a privacy dashboard, with your privacy notice. By empowering individuals with real choice over what is done with their personal data, you can be more confident that people have provided informed consent for their information to be used, if this is the legal basis you are relying on. Not only will this demonstrate transparency but will help to build the trust and confidence of consumers.
When establishing what information you need to supply, a good starting point - and a very useful exercise to help organisations comply with a number of obligations imposed on them by the GDPR, including the obligation to provide appropriate information to data subjects - is the mapping out of data flow within an organisation. To enable you to start mapping, a number of questions should be answered such as:
Answering such questions may require input from a number of people within an organisation in order to gain a complete overview. Once the data flow within an organisation has been fully mapped out and questions including those above answered, it will be easier to identify what information needs to be given to data subjects in order for the organisation to comply with the terms of the GDPR.
When drafting a privacy notice, or reviewing the contents of an existing one to ensure compliance with the GDPR, bear in mind the GDPR requirements for information to be concise, transparent, intelligible and easily accessible, written in clear and plain language, particularly if addressed to a child, and free of charge. Consideration must be given to the audience to which the information is being given together with their reasonable expectations. If the data is to be used in a way that would not be reasonably expected by the target audience, it is important that you are very pro-active in supplying information on how it will be used. On the other hand in cases where it is reasonable for individuals to expect a particular use of their data, other methods of communication may be sufficient – such as making privacy information available to them on a separate page, as long as they are informed of where to find it.
When drafting privacy notices, remember:
A key consideration when drafting privacy notice content is the fact that the data subject should be able to determine in advance what the scope and consequences of the processing entails. In particular for complex, technical or unexpected data processing, controllers should not only provide the prescribed information under articles 13 and 14 but also separately provide, in unambiguous language, what the most important consequences of the processing will be. Such information should provide an overview of the types of processing that could have the highest impact on the fundamental rights and freedoms of data subjects in relation to protection of their personal data.
Where personal data is obtained from the data subject, information must be given to them at the time when it is obtained. Where the personal data is not obtained from the data subject, the controller must provide the information (a) within a reasonable period after obtaining the personal data after obtaining the personal data, and within one month, (b) if personal data is to be used for communication with the data subject, at the latest at the time of the first communication to that data subject or (c) if disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
There are a few circumstances when you do not need to provide people with privacy information, such as when an individual already has the information or if would involve disproportionate effort to provide it to them.
Organisations must therefore now take action to ensure that they are indeed providing the correct information to individuals, at the correct time. In summary, organisations need to now: