GDPR Blog Week 7: Privacy Notices
Underpinning the principle of lawfulness, fairness and transparency is the concept that personal data collected from or about an individual must be done so openly and visibly. The use of that data must also be made clear to the data subject (the person whose data is being processed), and the supervising authority in the UK, the Information Commissioner’s Office, or “ICO”) recommend that this is done by issuing a Privacy Notice or Privacy Statement on your website where it may be accessed easily.
Articles 13 & 14 of the GDPR provides the detailed information that must be contained in a Privacy Notice. This allows a data subject to see the categories of data held and the legal basis on which the data controller has processed the information. A data controller must state in the Privacy Notice that it has complied with the data protection principles (collected for specified purpose, limited, accuracy, retention, transparency, security etc.) and give an account as to how this was achieved. The notice must also identify the data controller (this may be obscured if the controller is one company within a group) and provide contact details for the individual within your organisation who deals with data protection issues. As the GDPR gives enhanced rights to data subjects, these rights must also be set out in your notice.
Details regarding any cross-border transfers must also be provided so it is important that you look carefully at your operations as processing carried out in a different jurisdiction, particularly ones conducted outside the EEA (European Economic Area) will attract additional safeguarding responsibilities. Those processes carried out within the EEA must still be highlighted in your notice, as must details about any third parties with whom you share personal data.
The GDPR introduces a requirement to include any automated decision-making processes that have been used. These are essentially ones where an organisation obtains personal information about individuals from a variety of different sources, such as Internet searches, buying habits, lifestyle and behaviour data gathered from mobile phones, social networks and video surveillance systems. Once this information has been collected, it is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals. Any data processing which includes profiling or automated decision making must be explained in your notice.
Finally, your Privacy Notice must provide contact details for the ICO so that a data subject has recourse to make a complaint, should they be unhappy with the way in which you are processing their data. More information regarding the contents of a Privacy Notice may be obtained from the ICO’s website.
As you can see, there is a significant amount of information required in the Privacy Notice. The language must be concise, transparent and intelligible and in an easily accessible form. It is important therefore that you consider the category of data subjects you are processing data on. If this is children, then the language you use must be easily understood by them. The ICO recommend that the use of child-friendly cartoons, diagrams, graphics, icons, emoji’s and other symbols would be a more effective way of explaining this somewhat complicated issue to children. Consider also whether parental consent is required. Children are classed as a special category of data subject and additional measures must be implemented to safeguard their personal data (and evidenced in your Privacy Notice). Conversely, if your data subjects are elderly and less likely to use the internet then you may need to find another way of ensuring your Privacy Notice is seen by them.
So, before embarking on your Privacy Notice, I suggest that you carry out a data mapping exercise. This will help you to understand the categories of data held by you and will inform your Privacy Notice. Also carry out an inventory of all your third party contracts to see if there is any transfer of personal data to them, as this information will need to be included in your notice. Once you have gathered the relevant information, you will be able to make a start on your Privacy Notice.
I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.
We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Data Controllers and Data Processors and looking at the obligations of both within a business or organisation. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.