QUESTON
What should go into a Privacy Notice?
SHORT ANSWER
At the time of collecting their data, people must be
informed clearly about at least:
1. who
your company/organisation is (your contact details, and those of your DPO if
any);
2. why
your company/organisation will be using their personal data (purposes);
3. the
categories of personal data concerned;
4. the
legal justification for processing their data;
5. for
how long the data will be kept;
6. who
else might receive it;
7. whether
their personal data will be transferred to a recipient outside the EU;
8. that
they have a right to a copy of the data (right to access personal data) and
other basic rights in the field of data protection (see complete list of
rights);
9. their
right to lodge a complaint with a Data Protection Authority (DPA);
10. their
right to withdraw consent at any time;
11. where applicable,
the existence of automated decision-making and the logic involved, including
the consequences thereof.
There is guidance here
LONG ANSWER
I have answered a few questions on Privacy Notice already
and have added a couple of links below for further reading, in order to avoid
repetition here.
Based on my own experience so far having worked with a good
number of organisations ahead of GDPR coming into force in May I would offer
the following advice.
THINK WHY – WHAT IS THE PURPOSE?
Think about the purpose and the people and align everything
to these. If the purpose is “club membership for newsletters” then the data gathered
and processing should be based on the necessity for “club membership for
newsletters”. If the purpose is “look
after the health and wellbeing of customers” then the data gathered and
processing should be based on the necessity for “look after the health and
wellbeing of customers”.
This keeps things narrow, easy to manage and control. There
may be a bias towards “..lets have all their data about everything and then we
can do anything…” but this is entirely contrary to GDPR and is the key cultural
change that I don’t think people have grasped.
KEY PRINCIPLES
Next make sure each statement in the Privacy Notice meets
the key principles. If you remember nothing else, remember the key principles!
Lawfulness, fairness and transparency
|
Personal data shall be processed lawfully, fairly and in a
transparent manner in relation to the data subject
|
Purpose limitation
|
Personal data shall be collected for specified, explicit
and legitimate purposes and not further processed in a manner that is
incompatible with those purposes
|
Data minimisation
|
Personal data shall be adequate, relevant and limited to
what is necessary in relation to the purposes for which they are processed
|
Accuracy
|
Personal data shall be accurate and, where necessary, kept
up to date
|
Storage limitation
|
Personal data shall be kept in a form which permits
identification of data subjects for no longer than is necessary for the
purposes for which the personal data are processed
|
Integrity and confidentiality
|
Personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction
or damage, using appropriate technical or organisational measures
|
Accountability
|
The controller shall be responsible for, and be able to
demonstrate compliance with the GDPR
|
POSSIBLE HEADINGS
These are some useful headings
1.
About
Us And What We Do
2.
About
The Service We Provide And Why Information Is Necessary
3.
What
Data We Gather
4.
The
Roles And Controls Protecting Your Data
5.
Data
Sharing Or Disclosure (If You Do Any?)
6.
Location
Of Data (Eg Transferred To A Recipient Outside The Eu)
7.
The
Legal Basis And Your Rights
Note rights include [1] that they
have a right to a copy of the data (right to access personal data) and other
basic rights in the field of data protection (see complete list of rights); [2]
their right to lodge a complaint with a Data Protection Authority (DPA); [3 ] their
right to withdraw consent at any time; [4] where applicable, the existence of
automated decision-making and the logic involved, including the consequences
thereof.
See earlier article “What information must be given to
individuals whose data is collected? “
SAMPLE PRIVACY NOTICE
If you want a model Privacy Notice then I suspect that the Privacy
Notice of the people in charge of Privacy Notices, is probably a good start!
Have I look at the regulators Privacy Notice!!
However as said many times, if you organisation is not doing
what the ICO is doing then your notice doesn’t need to say what the ICO is
saying.
See earlier article “I am sharing feedback as a learning
exercise for anyone contemplating a Privacy Notice and a stark warning for
anyone who simply recycles someone else’ Privacy Notice without thought.”