With the General Data Protection Regulation (GDPR) coming into force in less than four months, organisations need to take steps now to be ready ahead of the 25 May 2018 deadline. One key action will be to review and update privacy policies.

What’s changed?

The GDPR introduces new requirements and increases the amount of information that needs to be included in privacy notices. A GDPR compliant privacy policy needs to contain detailed information about the organisation’s processing activities. It also needs to be concisely drafted in plain and clear language to meet the fairness and transparency requirements of the GDPR.

What does a privacy policy need to include?

The GDPR (articles 13 and 14) explicitly requires data controllers to inform data subjects of the following:

  • the data controller’s identity and contact details;
  • details of the data protection officer, if the organisation is required to have one;
  • the purpose and legal basis for processing;
  • if the legal basis for processing is legitimate interest, what that interest is;
  • recipients, or categories of recipients of the personal data;
  • if there is a statutory or contractual requirement for the data subject to provide personal data, what the consequences are for failing to do so;
  • the data controller’s source of the personal data, if it has not been provided directly to the data controller by the data subject;
  • the data subject rights;
  • how long the personal data will be retained and if no time frame can be provided how the retention period will be calculated;
  • if any automated decision making, for example, profiling, is being carried out and information about such automated decision making; and
  • whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data.

Key principles to consider when updating privacy policies are set out below:

What is being collected and how will it be used?

Under the GDPR it is important that organisations are transparent about the processing of personal data they undertake. The privacy policy should set out:

  • what personal data is collected (for example name, address details, credit / debit card details, photographs, technical information (such as IP address) etc);
  • how personal data is collected (for example whether it is provided by the data subject or collected via cookies) and should identify the source of any data not collected directly from the data subject (for example if data is collected via cookies then the type of cookies used should be set out); and
  • why such personal data is collected (for example processing card details to secure payment before dispatching a product to a customer).

If the personal data is not collected by the organisation, but by a third party, this will also need to be set out in the privacy policy.

Legal basis for processing

Organisations will also need to set out in their privacy policies what the legal basis is for their collection and processing of personal data. Article 6 of the GDPR sets out the legal basis for processing personal data and article 9 of the GDPR sets out the legal basis for processing ‘special category’ personal data (currently known as sensitive personal data). The legal basis for processing can, for example, be consent (or explicit consent in respect of special category data) or that the processing is necessary: for the performance of a contract; or for the purposes of legitimate interests of the organisation (that are not overridden by the interests, rights or freedoms of the data subject). It is important that the most appropriate legal basis is chosen for the processing activity.

If the legal basis for processing is legitimate interest, then organisations will need to go one step further and set out in their privacy policies what exactly their legitimate interest is.

Consent

Where the processing relies on the data subject having given consent, this should not be buried in the privacy policy. The GDPR requires that where consent is given in the context of a notice which also concerns other matters, the consent request needs to be presented in a clearly distinguishable way in an intelligible and easily accessible form, using clear and plain language. The data subject must be told that they can withdraw their consent at any time (and it needs to be as easy to withdraw consent as to give it). Consent also needs to be verifiable, so record keeping relating to consent is important. This approach to consent requires an assessment of the circumstances in which an existing privacy notice seeks to rely on the data subject’s agreement or consent, and a revisiting of whether or not consent is the most appropriate legal basis for processing on which to rely.

Sharing personal data

The privacy policy should also set out who the data controller shares personal data with. This may include service providers and sub-contractors of the data controller, who process personal data on the data controller’s behalf (for example, IT service providers).

If the organisation is sharing personal data with a third party (including group companies) who wishes to rely on consent collected by the organisation for the processing it undertakes, for example for direct marketing purposes, then this third party will have to be named in the consent request, and not just within the privacy policy.

Subject rights

To date privacy policies typically provide that data subjects have the right to make a ‘subject access request’ to find out what information is held about them. Under the GDPR data subjects have enhanced rights, which must all be brought to the data subject’s attention in the privacy policy.

This means the privacy policy must set out that data subjects have the following rights and include information on how they can be exercised:

  • the right to access personal data held about them;
  • the right to object to processing (for example, direct marketing);
  • the right to data portability;
  • the right to complain about processing carried out by the data controller;
  • the right to object to automated decision making;
  • the right for the personal data being updated; and
  • the right to be forgotten.

Transfers outside the EEA

Under the GDPR, organisations will need to explain not only whether personal data is processed outside the EEA, but also in which countries or international organisations the personal data may be processed. The privacy policy will also need to set out whether or not such countries or international organisations are ones that the EC Commission has decided ensure an adequate level of data protection. If not, then the policy will need to explain what safeguards are in place to protect the rights of the data subjects and how a data subject can access them. For example if an organisation is relying on standard contractual clauses to ensure that the rights of the data subjects are protected then the privacy policy has not only to mention this, but also that the data subject can request a copy of the standard contractual clauses. The data controller must also have a valid legal basis for the transfer.

How should the privacy policy be presented?

Under the GDPR privacy notices must be concise, transparent, intelligible and easily accessible.

Practically this means that the policy should:

  • be displayed prominently (not buried amongst other terms and conditions that would require the data subject to scroll through large amounts of text);
  • for online privacy policies adopt a layered approach, where the data subject is presented with a short summary of the important or unusual uses of their personal data and provided with a link to click for information that is more detailed;
  • use language that is clear, straightforward and free from legal jargon;
  • use headings to break the policy down into relevant sections; and
  • provide an accurate translation if the organisation targets data subjects in non-English speaking countries.

Where the data subject is given choices regarding use of their personal data, these should be clearly set out and easy to exercise, for example by using preference management tools like dashboards.

What to do now?

Organisations should consider what personal data they are collecting, for what purposes they are processing such personal data and what the legal basis is for doing so. Once this has been established, organisations need to update their privacy policies to ensure that they are transparent and GDPR compliant. Organisations should refer to the ICO’s guide to the GDPR and privacy notices code of practice which provide detailed guidance.