A brief guide to providing GDPR compliant privacy notices

GDPR banner
Businesses across the EU, large and small, are scrambling to get privacy notices ready for GDPR

 

What is a GDPR-compliant privacy policy?

A GDPR-compliant privacy policy should set out the different areas where user privacy is concerned and outline the obligations and requirements of the users, the website and website owners. It should also detail the ways your organisation processes, stores and protects user data and information. The policy should be made available on your organisation’s website.

The main points that should be addressed in a privacy policy include: 

  • Use of cookies: define what cookies are and how and why your organisation uses them
  • Personal information: If your organisation requests or stores personal information, this should be made clear. Under GDPR, individuals have the right to request a copy of this information and can request to be removed from the database at any time
  • Information collection and use: The policy should make clear how your organisation collects information and how long it’s stored for
  • Other information: A GDPR-compliant privacy policy must make clear how any other information that is collected, such as through registration forms or any other means, is used, and also must provide instructions on how to unsubscribe from any mailing list

What is a GDPR-compliant privacy notice?

A privacy notice tells people from whom you are taking data:

  • Who you are
  • What you are going to do with their information
  • Who you will share it with

At minimum, a privacy notice must contain those three key things. GDPR requires a privacy notice to be concise, transparent, intelligible and easily accessible. It must be written in clear and plain language, appropriate for the audience, and free of charge.

3 Key aspects of developing good GDPR privacy notice

There are three key aspects of good practice to keep in mind when developing a GDPR compliant privacy notice.

  • A layered approach – provide data subjects with key information with links to further detail
  • Just in time notices – that give focused, headline information right at the point data is being collected
  • Icons and symbolswhich indicate the use of personal data or particular processing purposes

GDPR compliant privacy notice examples

For example, a GDPR-compliant privacy notice might include the following:

  • Contact details of your organisation
  • The date
  • A list and explanation of the types of personal information you collect. Personal information includes any information that can be used to identify a living person.
  • How the personal information is collected, why your organisation is collecting it, how it will be used, and who it might be shared with
  • An explanation of the lawful basis you have for collecting or holding their information under GDPR
  • An explanation of how the personal information you collect is stored, for how long it will be stored, and how you intend after that period to destroy it
  • An explanation of your customer’s or client’s data protection rights (right of access, right to rectification, right to erasure, right to restriction of processing, right to object to processing, right to data portability)
  • Instructions on how to complain if the customer has concerns about your use of their personal information, including the ICO’s address

What is a Data Protection Impact Assessment and how do you conduct one?

Six conditions for processing data under GDPR

Creating a GDPR compliant privacy policy

How should you provide a privacy notice?

A privacy notice can be provided orally in person or over the phone, in writing, through signs and posters, as well as online or in an email. The guidelines note that the initial notice should be provided in the same method that the data is collected.

While this is relatively straightforward for taking data online, it can seem more complex for taking information over the phone. However, in those circumstances, you can just give a very brief sentence that the phone number will be used to call them back. For example ‘can I just take your phone number so someone can call you back’ would be sufficient at that immediate point of data collection.

If it was on a website, then when someone was prompted to enter their phone number, it would simply say ‘please enter your phone number so we can call you back.’ On the return call or if more information is being provided or more data being collected, you should let them know where they can find the full privacy notice or offer to send them a link for instance.

If you are then going to follow up by post or email you can include the fuller notice then. The key thing GDPR is trying to make sure doesn’t happen in this situation is for marketers to take the phone number because someone is making a general enquiry and then add it into a marketing database and start making unwanted calls to them.

When should I send a privacy notice?

If data is being collected directly from the data subject then the privacy notice should be provided at the time of data collection. If collected from a third party then it must be provided within what’s known as a reasonable period of time (one month) or before any disclosure to third parties. If you’re communicating with an individual then it should be sent at the time of contact, for instance in an email footer.

There are some exemptions from providing a privacy notice to be aware of. If data has been obtained from a third party, a privacy notice doesn’t have to be provided if:

  • The individual has the information
  • It would be impossible or require disproportionate effort
  • Obtaining or disclosing the data is allowed by law
  • The information provided is subject to professional secrecy

10 things a GDPR compliant privacy notice should cover

  1. Identity and contact details of the data controller / DPO
  2. What information do we collect about you?
  3. How will your information be used?
  4. Our legal basis for processing your data
  5. Who receives your information
  6. Where your information is stored and how it is kept secure
  7. Transfers to 3rd countries and safeguards in place
  8. How long your information will be held for
  9. Your rights
  10. How to make a complaint to us and our supervisory authority

On-demand GDPR webinar

Director of Best Practice Gary Yantin was once again joined by Director of Course Development Nick Henderson to help you prepare for the General Data Protection Regulation. During the webinar, Nick delved into the world of privacy notices, discussing what should be included in privacy notices, the changes required under GDPR and more.

Watch now 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.