The GDPR requires data controllers to provide data subjects with accessible information, which is usually contained within a privacy notice, about how their personal data will be processed. As in many other areas, the principles remain the same or similar to those under the previous data protection legislation but the level of detail required is much greater under the GDPR meaning that compliance is now more difficult.
Definition under the GDPR
The GDPR does not define what a privacy notice is however it does set out the minimum information which must be provided to data subjects. The following information must be provided:
- The contact details of the controller and the data protection officer (if you have one);
- The purposes for the processing and the lawful basis relied upon for each purpose;
- The legitimate interests of the controller;
- Categories of the personal data;
- Recipients of the personal data;
- Details of transfers to third parties along with safeguards;
- Retention period or criteria used;
- Existence of each of the data subject’s rights;
- The right to withdraw consent at any time;
- The right to lodge a complaint;
- The origin of the personal data (if the data is not collected directly from the individual) and whether it was from a publically available source;
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data; and
- The existence of automated decision making, information about how decisions are made, the significance of those decisions and the consequences.
What does the GDPR definition really mean?
The GDPR requires a high standard and level of detail in relation to privacy notices. Not only must certain information be provided, the information must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language; and
- Provided free of charge
In determining whether the information has satisfied the above, consideration must be given to the age and circumstances of the data subject whose personal data is being collected. If you are collecting children’s data then you must also ensure that the information provided is age appropriate.
What are the significant changes brought in by the GDPR?
The rules set out in the GDPR surrounding privacy information are more detailed and specific than under the previous data protection legislation The amount of information which needs to be provided to data subjects is longer and more detailed than before. At the same time, the information must be concise and easily accessible. This presents a clear challenge to all organisations to ensure that their privacy notices fulfil both requirements.
The GDPR also places an express requirement on data controllers who are processing children’s data to adapt their privacy notices for the appropriate age group.
What effect has this had on UK businesses?
As you can see from the list above, the GDPR places a much bigger burden on businesses to provide information to data subjects. Hopefully your privacy notice complies with the requirements but it’s important to keep it under review. If the information you collect, or what you do with it changes, you should ensure your privacy notice is updated as soon as possible. Non-compliance could not just lead to a penalty, but could also damage public trust in the organisation.
Another challenge facing businesses is the shift away from traditional methods of collecting information directly from the individual and an increase in the use of data collected by other means. The increased use of wearable tech such as smart-watches and fit-bits allows individuals to be tracked and observed. Privacy notices for this sort of data capture will need to be clear as to use of the data collected. The need for fairness and transparency in privacy notices will be of even greater importance in relation to this sort of data. In this case, the data subject may not even have considered that the data may be personal data and therefore the privacy notice must ensure that this is communicated clearly.
What should my business be doing?
Hopefully your privacy notice has already been updated to be GDPR compliant but it’s an ongoing obligation so ensure you keep it under review. Notices should not only provide the required information, but do so in clear language avoiding the use of legalese or jargon.
If you offer goods or services online, rather than providing a long privacy notice, you could consider implementing layering devices such as ‘just-in-time’ notices. This will ensure that information given on privacy is provided to the data subject at the most appropriate time.
For on-going choices about how data subjects’ information is used, the use of dashboards that can be easily amended and updated is a useful mechanism to ensure that privacy and consent is able to be managed by a data subject. Giving data subjects control over their preferences is also a great way of showing compliance with the data protection principles.
With the increased use of many different types of electronic devices you will also need to ensure that your privacy notice is accessible on mobile phones and tablets.
How can I provide the required information?
This may depend on the nature of your business and the relationship you have with individuals. A privacy notice can be communicated:
- Orally – face to face or by telephone;
- In writing – printed media/adverts and forms;
- Through signage – posters; and
- Electronically – text messages, websites, emails, mobile apps.
Ideally you should provide the notice using the same method you use for collecting the information.
When does the information need to be provided?
Where data is obtained directly from the data subject, the information must be provided at the time the data is obtained. Where data is obtained from a third party the information must be provided within a reasonable period of time (no more than one month) or before any disclosure to third parties. If the data is used to communicate with the individual then the information must be provided at the time contact is made.
Do I have to provide all of the required information in one place?
No. If it is impractical to contain all of the information in the same document you could consider a layered approach. Use a short, simple document to convey the key points and include a link to where a further more detailed document (or documents) can be found.
With online products and services, you could also consider utilising ‘just-in-time’ notices. These appear on the screen when personal data is provided. You may also consider using a dashboard where users can amend their privacy settings.
For products that collect data (such as virtual home assistants), you should consider what information is practical to include on the packaging and instructions for the product. Other information may need to be made available online.
Do I need to provide a privacy notice if I obtain the data from a third party?
Not necessarily, you may be exempt if:
- the individual already has the relevant information;
- providing the information would be impossible or involve disproportionate effort;
- the obtaining or disclosure of the information is allowed pursuant to Union or Member State law; or
- the information provided is subject to professional secrecy.
Can I use the same notice for everything?
It’s not advisable. The GDPR requires that privacy notices are clear and accessible. This means taking into account your intended audience and tailoring the notice to suit their circumstances. For example, younger audiences may need different wording as part of privacy notices as they may not have the same level of comprehension skills. You may also have to consider the appropriate language for the notice and may also be required to translate the notice into other languages in accordance with the intended audience.
What if I need to change a privacy notice?
Any significant changes in a privacy notice should be drawn to individuals’ attention. Depending on the impact of the changes, you will need to either directly contact the data subject or publish the changes somewhere appropriate for example, on your website.
- GDPR means the General Data Protection Regulation, the EU law that effectively replaced the Data Protection Act 1998.
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.