How to write a GDPR-compliant privacy notice – 2021
Article 5 (1) describes the first of seven principles upon which the United Kingdom’s General Data Protection Regulation (“GDPR”) is formulated. It states that personal data shall be (a) processed lawfully, fairly and in a transparent manner in relation to individuals. It’s the transparency element that the provision of a privacy notice falls under. So how do you write a GDPR-compliant privacy notice?
The principle/concept of transparency in terms of collection and processing of personal data isn’t rocket science, you just need to be clear, open and honest from the outset with the people whose personal data you are collecting and processing. You need to share with them why you are collecting it, why you need it, and what you are going to do with it.
Having said that, if you are to be compliant with UK GDPR it is important that your privacy notice includes all the required elements. If you miss anything out or apply the wrong lawful basis for processing data, for example, you risk action from the ICO, so in this blog, we explain how to write a privacy notice.
What does a privacy notice need to include?
Before we go into the exact requirements, it’s important to note that the way a privacy notice is written, i.e. the language that is used is as important as the information you put in it. Art. 12 of the General Data Protection Regulation (“GDPR”) details the requirements of the privacy notice, and it states that it should be written so that the data subject can understand it.
If your data subjects are children, the language you use should be tailored for children to understand. In all instances, it should be concise, transparent, intelligible, and in an easily accessible form and it should use clear and plain language. We have a guide to understanding key data protection terms here.
Far from being an onerous task, being open and upfront about what you intend to do with the data should be viewed as an opportunity on your part to develop trust with your customers. It also demonstrates compliance with the GDPR principles: fairness, purpose limitation, consent and legitimate interest.
What does the privacy notice need to include?
To be GDPR compliant, your privacy notice should include the following:
- The name and contact details of the data controller
- The contact details for the Data Protection Officer (“DPO”), if you have designated one
- The types of personal data you are collecting and processing
- The purposes for which you collect and process personal data
- The legal basis for each processing purpose
- Information about what personal data you share and the categories of recipients
- Whether you transfer personal data to third countries (those outside the European Economic Area (“EEA”) without an ‘adequacy decision’)
- Information about the period for which the information will be processed and stored
- Details of data subjects’ rights, are: the right to be informed; the right of access; the right to rectification; the right to erasure or restrict processing; the right not to be subject to automated decision-making (if this applies)
- Who to complain to with relevant contact details. For the UK, this would be the ICO’s address.
If you rely on ‘legitimate interest‘ as a legal basis for processing personal data, you also need to state what your interest is.
What is the legal basis for collecting information?
The third point above mentions the correct legal basis for collecting personal information. Under Art. 6 of GDPR, there are 6 legal bases for processing personal data. These are;
- Consent
- Performance of a contract
- Legitimate interest
- Compliance with a legal obligation
- Vital interests
- Public task
Choosing the correct legal basis for processing data is important because it is difficult to change once you have stated your reason for doing so and started collecting it on a particular basis.
Where one or more than one legal basis applies, you should choose the most appropriate. If a special category of data is being processed, not only does a lawful basis for general processing need to be identified but an additional condition for processing this type of data needs to be considered under Art. 9 GDPR.
The subject of legal bases for processing data is a blog in itself, and I’m conscious of going off subject here but for brevity, the ICO has provided a guide to help you decide which legal basis is more appropriate. Legitimate Interest is the most complex bases to apply, we have a blog on this here.
Who is the audience?
As an organisation, you will most likely collect data from different groups of people for different reasons. Personal data that you collect from online customers and your reasons for doing so will be completely different to that of your employees, so you will need different privacy notices tailored to each audience.
When should the privacy notice be provided and how?
There are two scenarios here. If you, as the data controller, directly obtain the information from the data subject, you should provide the privacy notice at the time of obtaining that personal data. If you have not obtained the information directly from the data subject, if for example you are a third-party supplier and have received the data from your client (the data controller), then you have up to one month from the first communication with the data subject to provide your privacy notice to them.
What are best practices around privacy notices?
Your business sector and the type and quantity of data you are collecting will affect the length and complexity of your privacy notice. For example, our privacy notice is relatively simple and short. That’s because as a consultancy, we don’t need reams of personal data to help our clients with their job. A business, like Tesco, is more complex. Although it’s primarily a food retailer, it has many different divisions, such as banking, insurance, mobile telephony, pharmacy, optician and it uses its customer data across these business units to enhance its marketing and cross-sells its various services, consequently, it has a much more complex explanation to make in its privacy notice. The health care industry is another complex sector that needs to be extremely vigilant when handling sensitive data – particularly in the current climate when the COVID-19 pandemic has meant more data being shared than ever before – such as track and trace data.
This complexity can be reduced in the way it is presented. Using headings and drop-down menus presents the information in manageable chunks, this is called a layered approach and makes it altogether easier to understand and digest.
Added to this concept is a ‘blended approach’. The term ‘Privacy notice’ is somewhat misleading in that it makes it sound like a single document that can be presented in one format, but this is not the case. You can alert your customers to their privacy rights using the various media that you already use to communicate with your customers, this could be on the telephone, via printed posters, or text messages. I’ve noticed that lately, BBC radio stations have started to include the location of their full privacy policy to listeners at the end of their jingles. Microsoft uses a dashboard enabling users to easily access their information and control it themselves. More recently, Apple asked app developers to add privacy ‘Nutrition Labels’ to increase transparency with users.
Need help?
Before you craft your privacy notice, you need to know what personal data you process, what you use it for, where you store it, how long for and what third parties if any, you send it to. If you would like some advice or support with your privacy notice or in pulling this information together, contact us for a friendly chat.
