GDPR: Updating Privacy Notices


Are you caught in a last minute rush to update your privacy notice to comply with the forthcoming General Data Protection Regulation (GDPR)?

Under the Data Protection Act 1998 (DPA), the requirement to issue privacy notices is tucked way in Schedule 1 Part 2. The GDPR brings privacy notices into the foreground and introduces a more prescriptive framework about the information Data Controllers must provide to Data Subjects as well as the manner and timeframe.

What is the purpose of a privacy notice? In the words of the ICO, “…being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”


Under Article 13 of GDPR, where data is obtained directly from the Data Subject,the following information must be providedat the time the data is obtained:

  • the identity and contact details of the Data Controller and where applicable any representative
  • the contact details of the Data Protection Officerwhere applicable
  • the purposes of the processing for which the personal data are intended as well as the legal basis for processing (as per Article 6(1))
  • where the processing is based on legitimate interests (Article 6(1)(f)), the interests pursued by the Data Controller or third party;
  • the recipients or categories of recipients for the personal data (if any)
  • details of international transfers and their legal basis

In addition the Data Subject must be given the following information necessary to ensure fair and lawful processing:

  • the period for which the data will be stored or, where this is not possible, the criteria used to determine that period
  • the existence of the Data Subjects’ rights e.g. Data Portability andSubject Access, Rectification, Erasure etc.
  • where the processing is based on consent, the fact that consent can be withdrawn at anytime
  • the right to lodge a complaint with the supervisory authority (the ICO)
  • where the data is collected from the Data Subject due to a statutory or contractual requirement, whether the provision of data is voluntary or mandatory as well as the consequences of failing to provide the data
  • details about automated decision making, including profiling, and the logic and consequences of such processing

Article 14 contains a similar list to the above to be included in a privacy notice to Data Subjects where their data is not collected directly from them.


GDPR (Article 12) states that the privacy notice must be concise, transparent, intelligible, easily accessible and free of charge. It must be written in clear and plain language, particularly if addressed to a child. Information in a privacy notice may be provided orally to a data subject on request e.g. in the form of a pre recorded message. Other ways of providing the information include leaflets, cartoons, info graphics and flowcharts. The mobile phone company, O2, has even produced a video!

So where to start? The Article 29 Working Party (A29WP) has published Guidance on Transparency, whichaddresses privacy notices. The ICO GDPR guidecontains useful checklists and their privacy notices codeis worth a read (though it is primarily drafted with the DPA in mind).


Our consultant, Scott Sammons has produced a sample GDPR privacy notice – read it here. Other examples below:

Transport for London I Essex Council I Halifax Bank I Decoded Legal(law firm)

Age UK (charity) I Act Now Training

The DFE has produced suggested texts  for privacy notices for schools and local authorities to issue to staff, parents and pupils.

There are a number other steps that you should be taking to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine.  As the Information Commissioner  has said, “It’s important that we all understand there is no deadline. 25thMay is not the end. It is the beginning.”

If you need to raise awareness about GDPR, our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificatecourse in London is fully booked. We have 3 places left in Bristol.

About actnowtraining

Act Now Training Ltd specialise in information law. We have been providing training and consultancy services globally for over 17 years. We have an extensive GDPR and FOI course programme from live and recorded webinars, accredited foundation through to higher level certificate courses delivered throughout the country or at your premises.
This entry was posted in Data Protection, GDPR, Privacy. Bookmark the permalink.

13 Responses to GDPR: Updating Privacy Notices

  1. Pingback: GDPR is coming but don’t panic! | Blog Now

  2. Pingback: Privacy Notices under #GDPR: Have you noticed my notice? | Blog Now

  3. Pingback: GDPR and Data Protection Impact Assessments: When and How? | Blog Now

  4. Pingback: The Data Protection Act 2018: A Summary | Blog Now

  5. Pingback: ICO Refuses to Disclose GDPR Policy Document for Special Categories Data | Blog Now

  6. Pingback: Act Now launches GDPR Policy Pack | Blog Now

  7. Pingback: Lessons from the Google GDPR Fine | Blog Now

  8. Pingback: First Two GDPR Enforcement Notices | Blog Now

  9. Pingback: Act Now launches Law Enforcement Data Processing Policy Pack | Blog Now

  10. Pingback: First Fine under GDPR | Blog Now

  11. Pingback: Blog Now

  12. Pingback: The Return to Work and Data Protection | Blog Now

  13. Pingback: The Importance of a DPIA | Blog Now

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s