A version of this blog was originally published on 8 November 2018.
The GDPR (General Data Protection Regulation) is often thought of as a set of rules to prevent data breaches, but it also intends to give individuals (‘data subjects’) a better understanding of, and more control over, how their personal data is used.
Organisations that process personal data are therefore required to provide individuals with certain information. This is usually achieved via a data privacy statement or privacy notice.
This blog explains what that document is and what it should contain, as well as providing an example privacy notice to help you meet your compliance requirements.
What is a privacy notice?
A privacy notice is a document that organisations give to individuals to explain how their personal data is processed. It has two aims: to promote transparency and to give individuals more control over the way their data is collected and used.
Transparency is a key principle of the GDPR, as it ensures that personal data isn’t processed without an individual’s knowledge or against their will.
Organisations must therefore explain in simple terms what data they’re collecting, why they need it, what it’s being used for and whether any third parties will have access to the data.
Why you need a privacy notice
Privacy notices are a legal requirement under the GDPR to ensure that individuals are aware of the way their personal data is processed. However, they can also benefit organisations in several ways.
For one, privacy policies provide documented proof of your data processing activities. This helps you justify your processing if someone lodges a complaint with their supervisory authority.
Privacy policies can also help you win business, as they prove that you take information security seriously.
Although they cover a lot of the same topics, privacy notices aren’t to be confused with privacy policies.
How to write a privacy notice
Your privacy notice should include at least the following details:
The first thing to include in your privacy notice is the name, address, email address and telephone number of your organisation. If you’ve appointed a DPO (data protection officer) or EU representative, you should also include their contact details.
The types of personal data you process
The definition of personal data is a lot broader than you might think. Ensure you include everything that you’re collecting and do so as specifically as possible. For example, instead of just saying ‘financial information’, state whether it’s account numbers, credit card numbers, etc.
You should also outline where you obtained the information if it wasn’t provided by the data subject directly.
For an idea of what this might look like, take a look at our privacy notice template:
Be as specific as possible about the type of information you collect and how you obtained it.
Lawful basis for processing personal data
Additionally, if you are relying on legitimate interests, you must describe them. If you’re relying on consent, you should state that it can be withdrawn at any time.
How you process personal data
You must explain whether you will be sharing the personal data you collect with any third parties. We suggest also specifying how you will protect shared data, particularly when the third party is based outside the EU.
You might decide to state whether data will be shared with organisations based outside the EU.
How long you’ll be keeping their data
The GDPR states that you can only hold data for as long as is necessary – i.e. as long as the lawful basis for processing is applicable. In most cases, that will be easy to work out; data processed to fulfil contracts, legal obligations, public tasks and vital interests all have clear time frames.
Things are trickier with consent and legitimate interests, as there is no clear point at which they’re no longer valid. As such, we recommend reviewing any processing that involves these lawful bases at least every two years.
Data subject rights
The GDPR gives individuals eight data subject rights, which you should list and explain in your privacy notice:
- Right to be informed: organisations must tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
- Right of access: individuals have the right to request a copy of the information that an organisation holds on them.
- Right of rectification: individuals have the right to correct data that is inaccurate or incomplete.
- Right to be forgotten: in certain circumstances, individuals can ask for the data an organisation holds on them to be erased from their records.
- Right of portability: individuals can request that organisation transfer any data that it holds on them to another company.
- Right to restrict processing: individuals can request that an organisation limits the way it uses personal data.
- Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.
- Right related to automated decision making including profiling: individuals are free to request a review of automated processing if they believe the rules aren’t being followed.
You should also remind individuals that they are free to exercise their rights and explain how they can do this.
When should you provide a GDPR privacy notice?
The GDPR explains that data controllers (organisations that determine what data is collected and how) must provide a privacy notice whenever they obtain a data subjects’ personal information. The only times this isn’t necessary are when:
- The data subject already has the information provided in the privacy notice;
- It would be impossible or involve a disproportionate effort to provide such information;
- The organisation is legally obliged to obtain the information; or
- The personal data must remain confidential, subject to an obligation of professional secrecy.
When an organisation obtains personal information from a third party, it must provide a privacy notice within a month. This should be made available the first time the organisation communicates with the data subject or when the personal data is first shared with another recipient.
Privacy notices can be issued in stages, but it’s often easiest to direct data subjects to a page on your website containing the relevant information. However, you should be aware that the policy must be specific to the type of processing that’s occurring, as each activity will be subject to discrete requirements.
Writing your privacy notice
You should use the active voice, avoid unnecessary legalese and technical terminology, and avoid qualifiers such as ‘may’, ‘might’, ‘some’ and ‘often’, as they are purposefully vague.
Finally, the policy should be free of charge and easily accessible; don’t hide it in a link at the bottom of a form asking for users for their details. Either provide it to them in writing or link to it when asking for their personal data.
Take the guesswork out of your privacy notice
Below is an example of a customisable privacy notice template available from IT Governance:
Our template privacy notice includes annotations to ensure you meet the GDPR’s requirements.
Those looking for comprehensive advice on how to document their GDPR compliance practices might prefer our GDPR Toolkit. It contains:
- A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
- Helpful dashboards and project tools to ensure complete GDPR coverage;
- Direction and guidance from expert GDPR practitioners; and
- Two licences for the GDPR Staff Awareness E-learning Course.