GDPR: Updating Privacy Notices

AdobeStock_185155560.jpeg

Are you caught in a last minute rush to update your privacy notice to comply with the forthcoming General Data Protection Regulation (GDPR)?

Under the Data Protection Act 1998 (DPA), the requirement to issue privacy notices is tucked way in Schedule 1 Part 2. The GDPR brings privacy notices into the foreground and introduces a more prescriptive framework about the information Data Controllers must provide to Data Subjects as well as the manner and timeframe.

What is the purpose of a privacy notice? In the words of the ICO, “…being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”

Contents

Under Article 13 of GDPR, where data is obtained directly from the Data Subject,the following information must be providedat the time the data is obtained:

  • the identity and contact details of the Data Controller and where applicable any representative
  • the contact details of the Data Protection Officerwhere applicable
  • the purposes of the processing for which the personal data are intended as well as the legal basis for processing (as per Article 6(1))
  • where the processing is based on legitimate interests (Article 6(1)(f)), the interests pursued by the Data Controller or third party;
  • the recipients or categories of recipients for the personal data (if any)
  • details of international transfers and their legal basis

In addition the Data Subject must be given the following information necessary to ensure fair and lawful processing:

  • the period for which the data will be stored or, where this is not possible, the criteria used to determine that period
  • the existence of the Data Subjects’ rights e.g. Data Portability andSubject Access, Rectification, Erasure etc.
  • where the processing is based on consent, the fact that consent can be withdrawn at anytime
  • the right to lodge a complaint with the supervisory authority (the ICO)
  • where the data is collected from the Data Subject due to a statutory or contractual requirement, whether the provision of data is voluntary or mandatory as well as the consequences of failing to provide the data
  • details about automated decision making, including profiling, and the logic and consequences of such processing

Article 14 contains a similar list to the above to be included in a privacy notice to Data Subjects where their data is not collected directly from them.

Format

GDPR (Article 12) states that the privacy notice must be concise, transparent, intelligible, easily accessible and free of charge. It must be written in clear and plain language, particularly if addressed to a child. Information in a privacy notice may be provided orally to a data subject on request e.g. in the form of a pre recorded message. Other ways of providing the information include leaflets, cartoons, info graphics and flowcharts. The mobile phone company, O2, has even produced a video!

So where to start? The Article 29 Working Party (A29WP) has published Guidance on Transparency, whichaddresses privacy notices. The ICO GDPR guidecontains useful checklists and their privacy notices codeis worth a read (though it is primarily drafted with the DPA in mind).

Examples

Our consultant, Scott Sammons has produced a sample GDPR privacy notice – read it here. Other examples below:

Transport for London I Essex Council I Halifax Bank I Decoded Legal(law firm)

Age UK (charity) I Act Now Training

The DFE has produced suggested texts  for privacy notices for schools and local authorities to issue to staff, parents and pupils.

There are a number other steps that you should be taking to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine.  As the Information Commissioner  has said, “It’s important that we all understand there is no deadline. 25thMay is not the end. It is the beginning.”

If you need to raise awareness about GDPR, our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificatecourse in London is fully booked. We have 3 places left in Bristol.

About actnowtraining

Act Now Training Ltd specialise in information law. We have been providing training and consultancy services globally for over 15 years. We have an extensive GDPR course programme from live and recorded webinars, accredited foundation through to higher level certificate courses delivered throughout the country or at your premises. We pride ourselves on having well renowned experts in the fields of Data Protection, Freedom of Information, Surveillance Law and Information Management. All our experts have worked within the public and private sectors and have many years of experience of training and consulting in these areas. Our clients include central government, local authorities, multi-national corporations as well as other public and third sector bodies including schools. Please visit our website to see the range and testimonials of our satisfied clients.
This entry was posted in Data Protection, GDPR, Privacy. Bookmark the permalink.

4 Responses to GDPR: Updating Privacy Notices

  1. Pingback: GDPR is coming but don’t panic! | Blog Now

  2. Pingback: Privacy Notices under #GDPR: Have you noticed my notice? | Blog Now

  3. Pingback: GDPR and Data Protection Impact Assessments: When and How? | Blog Now

  4. Pingback: The Data Protection Act 2018: A Summary | Blog Now

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s