With the General Data Protection Regulation (GDPR) coming into force in less than four months, organisations need to take steps now to be ready ahead of the 25 May 2018 deadline. One key action will be to review and update privacy policies.
The GDPR (articles 13 and 14) explicitly requires data controllers to inform data subjects of the following:
- the data controller’s identity and contact details;
- details of the data protection officer, if the organisation is required to have one;
- the purpose and legal basis for processing;
- if the legal basis for processing is legitimate interest, what that interest is;
- recipients, or categories of recipients of the personal data;
- if there is a statutory or contractual requirement for the data subject to provide personal data, what the consequences are for failing to do so;
- the data controller’s source of the personal data, if it has not been provided directly to the data controller by the data subject;
- the data subject rights;
- how long the personal data will be retained and if no time frame can be provided how the retention period will be calculated;
- if any automated decision making, for example, profiling, is being carried out and information about such automated decision making; and
- whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data.
Key principles to consider when updating privacy policies are set out below:
What is being collected and how will it be used?
- what personal data is collected (for example name, address details, credit / debit card details, photographs, technical information (such as IP address) etc);
- how personal data is collected (for example whether it is provided by the data subject or collected via cookies) and should identify the source of any data not collected directly from the data subject (for example if data is collected via cookies then the type of cookies used should be set out); and
- why such personal data is collected (for example processing card details to secure payment before dispatching a product to a customer).
Legal basis for processing
Organisations will also need to set out in their privacy policies what the legal basis is for their collection and processing of personal data. Article 6 of the GDPR sets out the legal basis for processing personal data and article 9 of the GDPR sets out the legal basis for processing ‘special category’ personal data (currently known as sensitive personal data). The legal basis for processing can, for example, be consent (or explicit consent in respect of special category data) or that the processing is necessary: for the performance of a contract; or for the purposes of legitimate interests of the organisation (that are not overridden by the interests, rights or freedoms of the data subject). It is important that the most appropriate legal basis is chosen for the processing activity.
If the legal basis for processing is legitimate interest, then organisations will need to go one step further and set out in their privacy policies what exactly their legitimate interest is.
Sharing personal data
- the right to access personal data held about them;
- the right to object to processing (for example, direct marketing);
- the right to data portability;
- the right to complain about processing carried out by the data controller;
- the right to object to automated decision making;
- the right for the personal data being updated; and
- the right to be forgotten.
Transfers outside the EEA
Under the GDPR privacy notices must be concise, transparent, intelligible and easily accessible.
Practically this means that the policy should:
- be displayed prominently (not buried amongst other terms and conditions that would require the data subject to scroll through large amounts of text);
- for online privacy policies adopt a layered approach, where the data subject is presented with a short summary of the important or unusual uses of their personal data and provided with a link to click for information that is more detailed;
- use language that is clear, straightforward and free from legal jargon;
- use headings to break the policy down into relevant sections; and
- provide an accurate translation if the organisation targets data subjects in non-English speaking countries.
Where the data subject is given choices regarding use of their personal data, these should be clearly set out and easy to exercise, for example by using preference management tools like dashboards.
What to do now?
Organisations should consider what personal data they are collecting, for what purposes they are processing such personal data and what the legal basis is for doing so. Once this has been established, organisations need to update their privacy policies to ensure that they are transparent and GDPR compliant. Organisations should refer to the ICO’s guide to the GDPR and privacy notices code of practice which provide detailed guidance.