If your organisation is subject to the GDPR (General Data Protection Regulation), you must create and distribute a privacy notice.
This document ensures that individuals are aware of the way their personal data is processed, helping them understand what data is being collected, why and how it’s being used, and how long it will be kept.
But there are several other reasons organisations should create a privacy notice. We take a look at some of them in this blog, and break down what you should be doing to ensure your documentation complies with the GDPR.
What is a privacy notice?
A privacy notice is a document that organisations give to individuals to explain how their personal data is processed. It has two aims: to promote transparency and to give individuals more control over the way their data is collected and used.
Transparency is a key principle of the GDPR, as it prevents organisations from processing personal data without data subjects’ knowledge or approval.
Policies must therefore be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language; and
- Free of charge.
Despite their similar names, privacy notices aren’t the same as privacy policies.
Privacy notices are publicly accessible documents produced for data subjects, whereas privacy policies are internal documents intended to explain to employees their responsibilities for ensuring GDPR compliance.
- Contact details
Clearly state your organisation’s name, address, email address, physical address and telephone number.
If you’ve appointed a DPO (data protection officer) or EU representative, you should also include their contact details.
- The types of personal data you process
Be as detailed as possible. Don’t simply say ‘financial information’ or ‘contact information’; state exactly what that consists of.
- Lawful basis for processing personal data
The GDPR outlines six lawful bases for processing personal data. You might be using a different basis for various types of data. Specify which basis applies in each instance.
If you’re using legitimate interests, you must describe what those interests are. Similarly, if you are using consent, you must state that the individual can withdraw it at any time.
- How you process personal data
Explain whether personal data will be shared with third parties. We also suggest that you specify how you will protect shared data, particularly when the third party is based outside the EU.
- How long you’ll be keeping their data
You can only store personal data for as long as it’s needed to complete the lawful basis for processing.
In some cases, that’s pretty self-evident: data processed to fulfil contracts, legal obligations, public tasks and vital interests all have clear time frames.
You might be tempted to hang on to the data after it’s met its initial goal, saying to yourself that it could be useful for future reference. In some cases, you might have a valid point, but it’s always best to err on the side of caution.
Things are more complicated with consent and legitimate interests, as there’s no clear point at which they are no longer valid. We suggest either estimating a length of time that the data is necessary before you collect the data and/or reviewing the necessity of data processing every two years.
Data subject rights
The GDPR endows individuals with eight data subject rights:
- Right to be informed: organisations must tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
- Right of access: individuals have the right to request a copy of the information that an organisation holds on them.
- Right of rectification: individuals have the right to correct data that is inaccurate or incomplete.
- Right to be forgotten: in certain circumstances, individuals can ask for the data an organisation holds on them to be erased from their records.
- Right of portability: individuals can request that organisation transfer any data that it holds on them to another company.
- Right to restrict processing: individuals can request that an organisation limits the way it uses personal data.
- Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.
- Right related to automated decision making including profiling: individuals are free to request a review of automated processing if they believe the rules aren’t being followed.
You should remind individuals that they are free to exercise their data subject rights at any time, and explain how they can do this.
There are times when you don’t need a privacy notice
Any organisation that’s subject to the GDPR must provide a privacy notice whenever they obtain a data subject’s personal information. However, there are a few instances where this isn’t necessary, such as when:
- The data subject already has the information provided in the privacy notice;
- It would be impossible or involve a disproportionate effort to provide such information;
- The organisation is legally obliged to obtain the information; or
- The personal data must remain confidential, subject to an obligation of professional secrecy.
Get help with our privacy notice template
Anyone looking for advice on how to create GDPR documentation should consider our privacy notice template.
Written and developed by data protection experts, this template takes the guesswork out of the documentation process, giving you the framework you need to create a GDPR-compliant privacy notice.
Our template privacy notice includes annotations to ensure you meet the GDPR’s requirements.
All you need to do is fill in the sections that are relevant to your organisation and make it available to your customers.
Want more documentation help?
You can also find out template is also included in our GDPR Toolkit, which contains a complete list of documents you need to comply with the Regulation.
Filled with more than 80 policies, procedures and checklists that were written by data protection experts, this toolkit ensures that you have a solid basis for your GDPR compliance activities.
But that’s not all the toolkit does. It also contains two licences for our GDPR Staff Awareness E-learning Course to help you understand the context for the requirements, as well as gap analysis and data protection impact assessment tools to help you identify and address data protection and privacy issues.
A version of this blog was originally published on 21 June 2019.