The GDPR (General Data Protection Regulation) gives individuals more control over how their personal data is used. If your organisation processes personal data, the Regulation requires you to provide data subjects with certain information. This typically takes the form of a data privacy statement or privacy notice.
But what is a data privacy notice, and what should it contain? This post explains everything you need to know, and contains a GDPR statement example.
What is a privacy notice?
A privacy notice is one of several documents required for GDPR compliance. However, whereas many are strictly internal, a GDPR statement is provided to customers and other interested parties, explaining how the organisation processes their personal data.
There are two reasons for doing this. First, it ensures that you’re as transparent as possible with data subjects. This prevents any confusion about the way personal data is being used, and ensures a level of trust between the organisation and the individual.
Second, it gives individuals more control over the way their data is collected and used. If there’s something the individual isn’t happy with, they can query it via a DSAR (data subject access request) and potentially ask the organisation to suspend that processing activity.
How to write a privacy notice
Article 30 of the GDPR explains that a compliant document should include at least the following details:
1) Contact details
The first thing to include in your privacy notice is the name, address, email address and telephone number of your organisation.
If you’ve appointed a DPO (data protection officer) or EU representative, you should also include their contact details.
2) The types of personal data you process
The definition of personal data is a lot broader than you might think.
Ensure you include everything that you’re collecting and do so as specifically as possible.
For example, instead of just saying ‘financial information’, state whether it’s account numbers, credit card numbers, etc.
You should also outline where you obtained the information if it wasn’t provided by the data subject directly.
3) Lawful basis for processing personal data
Additionally, if you are relying on legitimate interests, you must describe them. If you’re relying on consent, you should state that it can be withdrawn at any time.
Remember that there are specific rules when it comes to processing special categories of personal data.
4) How you process personal data
You must explain whether you will be transferring personal data to a third parties.
We suggest also specifying how you will protect shared data, particularly when the third party is based outside the EU.
5) How long you’ll be keeping their data
The GDPR states that you can only retain personal data for as long as the legal basis for processing is applicable.
In most cases, that will be easy to determine. For example, data processed to fulfil contracts should be stored for as long as the organisation performs the task to which the contract applies.
Likewise, organisations that process data on the grounds of a legal obligation public task or vital interest should hold on to the data while those processing activities are relevant.
Things are trickier with consent and legitimate interests, as there is no clear point at which they’re no longer valid.
As such, we recommend reviewing your data retention practices at least every two years.
6) Data subject rights
The GDPR gives individuals eight data subject rights, which you should list and explain in your privacy notice:
- Right to be informed: organisations must tell individuals what data of theirs is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
- Right of access: individuals have the right to request a copy of the information that an organisation holds on them.
- Right of rectification: individuals have the right to correct data that is inaccurate or incomplete.
- Right to be forgotten: in certain circumstances, individuals can ask organisations to erase any personal data that’s stored on them.
- Right of portability: individuals can request that organisation transfer any data that it holds on them to another company.
- Right to restrict processing: individuals can request that an organisation limits the way it uses personal data.
- Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.
- Rights related to automated decision making including profiling: individuals can ask organisations to provide a copy of its automated processing activities if they believe the data is being processed unlawfully. You should also remind individuals that they are free to exercise their rights and explain how they can do this.
Why you need a privacy notice
Privacy notices are a legal requirement under the GDPR, and ensure that individuals are aware of the way their personal data is processed.
However, they can also benefit organisations in several ways.
For one, privacy policies provide documented proof of your data processing activities.
This helps you justify your processing if someone lodges a complaint with their supervisory authority.
GDPR policies and procedures can also help you win business, as they prove that you take information security seriously.
Although they cover many of the same topics, privacy notices aren’t to be confused with privacy policies.
In the context of data protection, a privacy notice is a publicly accessible document produced for data subjects.
When should you provide a GDPR privacy notice?
The GDPR explains that data controllers must provide a privacy notice whenever they obtain a data subjects’ personal information.
The only times this isn’t necessary are when:
- The data subject already has the information provided in the privacy notice;
- It would be impossible or involve a disproportionate effort to provide such information;
- The organisation is legally obliged to obtain the information; or
- The personal data must remain confidential, subject to an obligation of professional secrecy.
When an organisation obtains personal information from a third party, it must provide a privacy notice within a month.
This should be done the first time the organisation communicates with the data subject or when the personal data is first shared with another recipient.
The easiest way to provide a privacy notice is to post it on your website and link to it whenever appropriate.
Writing your privacy notice
This is particularly important when you are processing children’s personal data, as there are many concepts that you’ll have to explain in more detail.
In general, privacy policies should be written in the active voice and avoid unnecessary legalese and technical terminology.
Likewise, you should avoid qualifiers such as ‘may’, ‘might’, ‘some’ and ‘often’, as they are purposefully vague. Saying you ‘may’ do something doesn’t help the data subject work out under what circumstances it will happen.
Finally, the policy should be free of charge and easily accessible; don’t hide it in a link at the bottom of a form where few people are likely to see it.
You should instead provide the policy to them in writing or link to it when asking for their personal data.