Are you caught in a last minute rush to update your privacy notice to comply with the forthcoming General Data Protection Regulation (GDPR)?
Under the Data Protection Act 1998 (DPA), the requirement to issue privacy notices is tucked way in Schedule 1 Part 2. The GDPR brings privacy notices into the foreground and introduces a more prescriptive framework about the information Data Controllers must provide to Data Subjects as well as the manner and timeframe.
What is the purpose of a privacy notice? In the words of the ICO, “…being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”
Under Article 13 of GDPR, where data is obtained directly from the Data Subject,the following information must be providedat the time the data is obtained:
- the identity and contact details of the Data Controller and where applicable any representative
- the contact details of the Data Protection Officerwhere applicable
- the purposes of the processing for which the personal data are intended as well as the legal basis for processing (as per Article 6(1))
- where the processing is based on legitimate interests (Article 6(1)(f)), the interests pursued by the Data Controller or third party;
- the recipients or categories of recipients for the personal data (if any)
- details of international transfers and their legal basis
In addition the Data Subject must be given the following information necessary to ensure fair and lawful processing:
- the period for which the data will be stored or, where this is not possible, the criteria used to determine that period
- the existence of the Data Subjects’ rights e.g. Data Portability andSubject Access, Rectification, Erasure etc.
- where the processing is based on consent, the fact that consent can be withdrawn at anytime
- the right to lodge a complaint with the supervisory authority (the ICO)
- where the data is collected from the Data Subject due to a statutory or contractual requirement, whether the provision of data is voluntary or mandatory as well as the consequences of failing to provide the data
- details about automated decision making, including profiling, and the logic and consequences of such processing
Article 14 contains a similar list to the above to be included in a privacy notice to Data Subjects where their data is not collected directly from them.
GDPR (Article 12) states that the privacy notice must be concise, transparent, intelligible, easily accessible and free of charge. It must be written in clear and plain language, particularly if addressed to a child. Information in a privacy notice may be provided orally to a data subject on request e.g. in the form of a pre recorded message. Other ways of providing the information include leaflets, cartoons, info graphics and flowcharts. The mobile phone company, O2, has even produced a video!
So where to start? The Article 29 Working Party (A29WP) has published Guidance on Transparency, whichaddresses privacy notices. The ICO GDPR guidecontains useful checklists and their privacy notices codeis worth a read (though it is primarily drafted with the DPA in mind).
Our consultant, Scott Sammons has produced a sample GDPR privacy notice – read it here. Other examples below:
The DFE has produced suggested texts for privacy notices for schools and local authorities to issue to staff, parents and pupils.
There are a number other steps that you should be taking to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine. As the Information Commissioner has said, “It’s important that we all understand there is no deadline. 25thMay is not the end. It is the beginning.”
If you need to raise awareness about GDPR, our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificatecourse in London is fully booked. We have 3 places left in Bristol.