The GDPR requires data controllers to provide data subjects with accessible information, which is usually contained within a privacy notice, about how their personal data will be processed. As in many other areas, the principles remain the same or similar to those under the previous data protection legislation but the level of detail required is much greater under the GDPR meaning that compliance is now more difficult.
Definition Under the GDPR
The GDPR does not define what a privacy notice is however it does set out the minimum information which must be provided to data subjects. The following information must be provided:
- The contact details of the controller and the data protection officer (if you have one);
- The purposes for the processing and the lawful basis relied upon for each purpose;
- The legitimate interests of the controller;
- Categories of the personal data;
- Recipients of the personal data;
- Details of transfers to third parties along with safeguards;
- Retention period or criteria used;
- Existence of each of the data subject’s rights;
- The right to withdraw consent at any time;
- The right to lodge a complaint;
- The origin of the personal data (if the data is not collected directly from the individual) and whether it was from a publically available source;
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data; and
- The existence of automated decision making, information about how decisions are made, the significance of those decisions and the consequences.
What Does the GDPR Definition Really Mean?
The GDPR requires a high standard and level of detail in relation to privacy notices. Not only must certain information be provided, the information must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language; and
- Provided free of charge
In determining whether the information has satisfied the above, consideration must be given to the age and circumstances of the data subject whose personal data is being collected. If you are collecting children’s data then you must also ensure that the information provided is age appropriate.
What are the Significant Changes Brought in by the GDPR?
The rules set out in the GDPR surrounding privacy information are more detailed and specific than under the previous data protection legislation The amount of information which needs to be provided to data subjects is longer and more detailed than before. At the same time, the information must be concise and easily accessible. This presents a clear challenge to all organisations to ensure that their privacy notices fulfil both requirements.
The GDPR also places an express requirement on data controllers who are processing children’s data to adapt their privacy notices for the appropriate age group.
What Effect has this had on UK Businesses?
As you can see from the list above, the GDPR places a much bigger burden on businesses to provide information to data subjects. Hopefully your privacy notice complies with the requirements but it’s important to keep it under review. If the information you collect, or what you do with it changes, you should ensure your privacy notice is updated as soon as possible. Non-compliance could not just lead to a penalty, but could also damage public trust in the organisation.
Another challenge facing businesses is the shift away from traditional methods of collecting information directly from the individual and an increase in the use of data collected by other means. The increased use of wearable tech such as smart-watches and fit-bits allows individuals to be tracked and observed. Privacy notices for this sort of data capture will need to be clear as to use of the data collected. The need for fairness and transparency in privacy notices will be of even greater importance in relation to this sort of data. In this case, the data subject may not even have considered that the data may be personal data and therefore the privacy notice must ensure that this is communicated clearly.
What Should my Business be Doing?
Hopefully your privacy notice has already been updated to be GDPR compliant but it’s an ongoing obligation so ensure you keep it under review. Notices should not only provide the required information, but do so in clear language avoiding the use of legalese or jargon.
If you offer goods or services online, rather than providing a long privacy notice, you could consider implementing layering devices such as ‘just-in-time’ notices. This will ensure that information given on privacy is provided to the data subject at the most appropriate time.
For on-going choices about how data subjects’ information is used, the use of dashboards that can be easily amended and updated is a useful mechanism to ensure that privacy and consent is able to be managed by a data subject. Giving data subjects control over their preferences is also a great way of showing compliance with the data protection principles.
With the increased use of many different types of electronic devices you will also need to ensure that your privacy notice is accessible on mobile phones and tablets.