- Personal information: If your organisation requests or stores personal information, this should be made clear. Under GDPR, individuals have the right to request a copy of this information and can request to be removed from the database at any time
- Information collection and use: The policy should make clear how your organisation collects information and how long it’s stored for
What is a GDPR-compliant privacy notice?
A privacy notice tells people from whom you are taking data:
- Who you are
- What you are going to do with their information
- Who you will share it with
At minimum, a privacy notice must contain those three key things. GDPR requires a privacy notice to be concise, transparent, intelligible and easily accessible. It must be written in clear and plain language, appropriate for the audience, and free of charge.
3 Key aspects of developing good GDPR privacy notice
There are three key aspects of good practice to keep in mind when developing a GDPR compliant privacy notice.
- A layered approach – provide data subjects with key information with links to further detail
- Just in time notices – that give focused, headline information right at the point data is being collected
- Icons and symbols – which indicate the use of personal data or particular processing purposes
GDPR compliant privacy notice examples
For example, a GDPR-compliant privacy notice might include the following:
- Contact details of your organisation
- The date
- A list and explanation of the types of personal information you collect. Personal information includes any information that can be used to identify a living person.
- How the personal information is collected, why your organisation is collecting it, how it will be used, and who it might be shared with
- An explanation of the lawful basis you have for collecting or holding their information under GDPR
- An explanation of how the personal information you collect is stored, for how long it will be stored, and how you intend after that period to destroy it
- An explanation of your customer’s or client’s data protection rights (right of access, right to rectification, right to erasure, right to restriction of processing, right to object to processing, right to data portability)
- Instructions on how to complain if the customer has concerns about your use of their personal information, including the ICO’s address
How should you provide a privacy notice?
A privacy notice can be provided orally in person or over the phone, in writing, through signs and posters, as well as online or in an email. The guidelines note that the initial notice should be provided in the same method that the data is collected.
While this is relatively straightforward for taking data online, it can seem more complex for taking information over the phone. However, in those circumstances, you can just give a very brief sentence that the phone number will be used to call them back. For example ‘can I just take your phone number so someone can call you back’ would be sufficient at that immediate point of data collection.
If it was on a website, then when someone was prompted to enter their phone number, it would simply say ‘please enter your phone number so we can call you back.’ On the return call or if more information is being provided or more data being collected, you should let them know where they can find the full privacy notice or offer to send them a link for instance.
If you are then going to follow up by post or email you can include the fuller notice then. The key thing GDPR is trying to make sure doesn’t happen in this situation is for marketers to take the phone number because someone is making a general enquiry and then add it into a marketing database and start making unwanted calls to them.
When should I send a privacy notice?
If data is being collected directly from the data subject then the privacy notice should be provided at the time of data collection. If collected from a third party then it must be provided within what’s known as a reasonable period of time (one month) or before any disclosure to third parties. If you’re communicating with an individual then it should be sent at the time of contact, for instance in an email footer.
There are some exemptions from providing a privacy notice to be aware of. If data has been obtained from a third party, a privacy notice doesn’t have to be provided if:
- The individual has the information
- It would be impossible or require disproportionate effort
- Obtaining or disclosing the data is allowed by law
- The information provided is subject to professional secrecy
10 things a GDPR compliant privacy notice should cover
- Identity and contact details of the data controller / DPO
- What information do we collect about you?
- How will your information be used?
- Our legal basis for processing your data
- Who receives your information
- Where your information is stored and how it is kept secure
- Transfers to 3rd countries and safeguards in place
- How long your information will be held for
- Your rights
- How to make a complaint to us and our supervisory authority
On-demand GDPR webinar
Director of Best Practice Gary Yantin was once again joined by Director of Course Development Nick Henderson to help you prepare for the General Data Protection Regulation. During the webinar, Nick delved into the world of privacy notices, discussing what should be included in privacy notices, the changes required under GDPR and more.