This month we’re concentrating on privacy notices. Your organisation’s privacy notices are a key area of compliance with the 1st Data Protection Principle, that personal data must be dealt with fairly, lawfully and transparently. Privacy notices are the mechanism by which you tell individuals what personal data you hold and your purpose for processing their personal data.
Privacy notices are a prominent public facing aspect of your organisation’s GDPR compliance measures, and will be an obvious area to challenge if they do not meet the required standards under the GDPR. On that basis, ensuring that your privacy notices are GDPR compliant should be one of your organisation’s key compliance priorities.
Our action point for this month therefore, is to review and amend your privacy notices. Privacy notices are already an aspect of data protection law, but under the GDPR your organisation’s privacy notice must provide much more information to the individual. The GDPR sets out a long list of information which must be included in a privacy notice for example, you must tell the individual, not only your purpose for processing their personal data (as is currently required), but also specify which of the permitted legal bases for processing personal data you are relying upon e.g. legitimate interests or consent etc. If legitimate interests are relied upon, you must set out what those legitimate interests are and how they are balanced with the interests of the individual. The period for which personal data will be retained must also be included as will details of details of whom you share the individual’s personal data with.
You will also need to consider how the information is presented to individuals. This is likely to vary depending upon the category of data subject the privacy notice is addressing, for example, the privacy notice you provide your staff will differ in content from the privacy notice you provide customers, clients or the public generally. Your staff privacy notice can be placed on an intranet, while your customer privacy notice may be best placed on your website (this is what is suggested by the most recent European guidance).
Remember that when your organisation is collecting personal data directly from an individual then the privacy information must be provided at the point of collection, you will need to think how this information can be provided in practical terms. If you obtain personal data from a 3rd party, rather than from the individual directly, you are still required to provide privacy information to the individual concerned in most cases. This must be done within one month of receiving the personal data, or at the first time you communicate with the individual concerned (whichever is sooner).
The Information Law team at Geldards can assist your organisation with this key compliance requirement. We can provide template GDPR privacy notices. We can also assist with advice on the method and timeframe for delivering privacy information. For more information contact a member of our Specialist GDPR Team.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>