How are you getting on with being GDPR (General Data Protection Regulations) ready? I hope you are starting to consider what it is you need to do and at least communicate to the business the obligations you have as an organisation. And building awareness as required in step 1.
Following on from my previous posts on the 12 steps to General Data Protection Regulations (GDPR) compliance and what to do for steps one and two. Here is my advice on step three – Privacy Notice.
GDPR will helps us all be transparent about where, when and how data is used and who it is communicated to and processed by. Providing a Privacy Notice is an important part of fair processing aiding the transparency process.
Step 3 Communicating privacy information
Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
When you collect personal data you currently need to give people certain information, such as your identity and how you intend to use their information. This is usually done through a Privacy Notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the Information Commissioner’s Office (ICO) if they think there is a problem with the way you are handling their data.
Note: the recording of processing activities differs slightly if you have more than 250 employees.
Extract from ICO on Privacy Notices: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/
Providing a privacy notice does not by itself mean that your processing is necessarily fair. You also need to consider the effect of your processing on the individuals concerned. Therefore the main elements of fairness include:
- Using information in a way that people would reasonably expect. This may involve undertaking research to understand people’s expectations about how their data will be used
- Thinking about the impact of your processing. Will it have unjustified adverse effects on them?
- Being transparent and ensuring that people know how their information will be used. This means providing privacy notices or making them available, using the most appropriate mechanisms. In a digital context, this can include all the online platforms used to deliver services.
To cover all these elements, you will need to consider the following issues when planning a privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
It is also important to recognise that the ways in which data is collected are changing. Traditionally, data was collected directly from individuals, for example when they filled in a form. Increasingly, organisations use data that has not been consciously provided by individuals in this way. It may be:
- observed, by tracking people online or by smart devices;
- derived from combining other data sets; or
- inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases, in order to profile people for example in terms of their credit risk, state of health or suitability for a job.
In these cases you are acquiring and processing personal data about individuals, and the requirement to be fair and transparent still arises. These new situations can make it more challenging to provide privacy information, and new approaches may be required. A good way to approach these issues is to carry out a privacy impact assessment (PIA). This is a methodology for assessing and mitigating the privacy risks in a project involving personal data.
Link to the code of practice for conducting privacy impact assessments: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
What Should You Include in Your Privacy Notice?
The starting point of a privacy notice should be to tell people:
- who you are;
- what you are going to do with their information; and
- who it will be shared with.
These are the basics upon which all privacy notices should be built. However, they can also tell people more than this and should do so where you think that not telling people will make your processing of that information unfair. This could be the case if an individual is unlikely to know that you use their information for a particular purpose or where the personal data has been collected by observation or inference from an individual’s behaviour.
Your Privacy Notice could look something like the following if you have a simple data processing arrangement. For more complex data processing with multiple third parties and data being exchanged via those thirds parties along a chain requires a more complex privacy notice clearly setting out all the uses of the data and by whom in clear easily understandable English. Sample below taken from: https://actnowtraining.wordpress.com/2016/09/06/privacy-notices-under-gdpr-have-you-noticed-my-notice/
Sample GDPR Privacy Notice
The Liz Data Company Ltd will be what’s known as the ‘Controller’ of the personal data you provide to us. We only collect basic personal data about you which does not include any special types of information or location based information. This does however include name, address, email, phone number.
Why we need your data
We need to know your basic personal data in order to provide you with on-going organisational updates and funding information and analysis services in line with this overall contract. We will not collect any personal data from you we do not need in order to provide and oversee this service to you.
What we do with your data
All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information is located on servers within the European Union. No 3rd parties have access to your personal data unless the law allows them to do so.
We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. More information on this framework can be found on our website.
How long we keep your data
We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. Your information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information. More information on our retention schedule can be found at: Thelizdatacompany.com/dataretention
What we would also like to do with your data
We would however like to use your name and email address to inform you of our future offers and similar products. This information is not shared with third purposes and you can unsubscribe at any time via phone, email or our website. Please indicate below if this is something you would like to sign up to.
Please sign me up to receive details about future oﬀers from firstname.lastname@example.org
What are your rights
If at any point you believe the information we process on you is incorrect you can request to see this information and have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated. email@example.com
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk/
Share your Privacy Notices to help fellow readers better understand how to form their notice.
For more information on what should and can be included in the Privacy Notice: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individualsrights/the-right-to-be-informed/
Image credit: http://www.seqlegal.com