The GDPR in common with the DPA requires data controllers to provide data subjects with accessible information, which is usually contained within a privacy notice, about how their personal data will be processed. As in many other areas, the principles remain the same or similar to those in the DPA but the level of detail required is much greater under the GDPR meaning that compliance may be more difficult and at a minimum current privacy notices should be reviewed.
Definition under the DPA
The DPA does not define what a privacy notice is however it does set out the minimum information which must be provided to data subjects.
Under the DPA the data controller must make a minimum amount of information available to the data subjects, this information includes:
- The identity of the data controller (or their representative);
- The purpose of processing the data; and
- Any further information necessary in the circumstances to enable the processing to be fair.
What does the DPA definition really mean?
Providing a privacy notice is one way of demonstrating you are being transparent and fair in the way you are processing data.
Subject to relevant exemptions, personal data will only be processed fairly if this information is given to individuals however the use of a privacy notice doesn’t necessarily guarantee fairness.
Definition under the GDPR
The GDPR does not define what a privacy notice is however it does set out the minimum information which must be provided to data subjects.
The GDPR goes further and specifies that, in addition to the above, the following information should also be set out in the privacy notice:
- The contact details of the controller and the data protection officer;
- The legitimate interests of the controller;
- Categories of the personal data;
- Recipients of the personal data;
- Details of transfers to third parties along with safeguards;
- Retention period or criteria used;
- Existence of each of the data subject’s rights;
- The right to withdraw consent at any time;
- The right to lodge a complaint;
- The origin of the personal data and whether it was from a publically available source;
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data; and
- The existence of automated decision making, information about how decisions are made, the significance of those decisions and the consequences.
What does the GDPR definition really mean?
The GDPR requires a high standard and level of detail in relation to privacy notices. Not only must certain information be provided, the information must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language; and
- Free of charge
What are the significant differences between the DPA and the GDPR?
The rules set out in the GDPR surrounding privacy information are more detailed and specific than the DPA however a key similarity in both is to ensure that the information provided is understandable and accessible.
The significant difference in practice is the amount of information that will be required in a privacy notice under the GDPR. This will require longer and more detailed privacy notices that have to, at the same time, be concise and easily accessible. This presents a clear challenge to all organisations to ensure that their privacy notices fulfil both requirements.
The GDPR also places an express requirement on data controllers who are processing children’s data to adapt their privacy notices for the appropriate age group.
What effect will this have on UK businesses?
As you can see from the list above, the GDPR places a much bigger burden on businesses to provide information to data subjects. These changes will need to be carefully worked through and privacy notices extended and re-worded to meet the GDPR requirements. Non-compliance could not just lead to a penalty, but could also damage public trust in the organisation.
Another challenge facing businesses is the shift away from traditional methods of collecting information directly from the individual and an increase in the use of data collected by other means. The increased use of wearable tech such as smart-watches and fit-bits allows individuals to be tracked and observed. Privacy notices for this sort of data capture will need to be clear as to use of the data collected. The need for fairness and transparency in privacy notices will be of even greater importance in relation to this sort of data. In this case, the data subject may not even have considered that the data may be personal data and therefore the privacy notice must ensure that this is communicated clearly.
What will my business need to do?
Data controllers will need to carefully examine their existing privacy notices and update them to be GDPR compliant. Notices should not only provide the required information, but do so in clear language avoiding the use of legalese or jargon.
If you offer goods or services online, rather than providing a long privacy notice, you could consider implementing layering devices such as ‘just-in-time’ notices. This will ensure that information given on privacy is provided to the data subject at the most appropriate time.
For on-going choices about how data subjects’ information is used, the use of dashboards that can be easily amended and updated is a useful mechanism to ensure that privacy and consent is able to be managed by a data subject.
With the increased use of many different types of electronic devices you will also need to check that your privacy notice is accessible on mobile phones and tablets.
How can I provide the required information?
This may depend on the nature of your business and the relationship you have with individuals. A privacy notice can be communicated:
- Orally – face to face or by telephone;
- In writing – printed media/adverts and forms;
- Through signage – posters; and
- Electronically – text messages, websites, emails, mobile apps.
Ideally you should provide the notice using the same method you use for collecting the information.
When does the information need to be provided?
Where data is obtained directly from the data subject, the information must be provided at the time the data is obtained. Where data is obtained from a third party the information must be provided within a reasonable period of time (usually one month) or before any disclosure to third parties. If the data is used to communicate with the individual then the information must be provided at the time contact is made.
Do I have to provide all of the required information in one place?
No. If it is impractical to contain all of the information in the same document you could consider a layered approach. Use a short, simple document to convey the key points and include a link to where a further more detailed document (or documents) can be found.
With online products and services, you could also consider utilising ‘just-in-time’ notices. These appear on the screen when personal data is provided. You may also consider using a dashboard where users can amend their privacy settings.
Do I need to provide a privacy notice if I obtain the data from a third party?
No, as long as:
- the individual already has the relevant information;
- providing the information would be impossible or involve disproportionate effort;
- the obtaining or disclosure of the information is allowed pursuant to Union or Member State law; or
- the information provided is subject to professional secrecy.
Can I use the same notice for everything?
It’s not advisable. The GDPR requires that privacy notices are clear and accessible. This means taking into account your intended audience and tailoring the notice to suit their circumstances. For example, younger audiences may need different wording as part of privacy notices as they may not have the same level of comprehension skills. You may also have to consider the appropriate language for the notice and may also be required to translate the notice into other languages in accordance with the intended audience.
What if I need to change a privacy notice?
Any significant changes in a privacy notice should be drawn to individuals’ attention. Depending on the impact of the changes, you will need to either directly contact the data subject or publish the changes somewhere appropriate for example, on your website.
- DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
- GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
This briefing is based on the law as it stands in April 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.