Having a compliant privacy notice is an absolute must-have under the GDPR for any business collecting and processing personal data. Below we answer a few key questions about privacy notices to get you started on this key aspect of ensuring compliance under the regulations.
These terms are often used interchangeably so it can be a little confusing. Privacy notices and fair processing notices are synonymous and both refer to statements provided to data subjects at the point of data collection. Privacy policies often mean the same thing, but can also refer to a document that is only used internally by a business to detail its rules and practices for dealing with personal data.
Great – so what is the point of a privacy notice?
It is, of course widely accepted, that privacy notices are often skipped over and left unread by data subjects, so this is a valid question. However, having a compliant privacy notice is absolutely essential under the GDPR. The law requires that, when businesses collect personal data, they provide certain information to the data subject regarding what they will do with the data. Without a compliant privacy notice providing the data subject with the necessary information, you risk being fined for non-compliance.
Can we re-use our existing privacy notice?
Probably not – at least not without some revision. One of many issues that the GDPR attempts to address is the prevalent use by businesses of overly-long privacy notices. The GDPR puts an emphasis on ensuring that information provided to data subjects is:
- concise, transparent, intelligible and easily accessible; and
- written in clear and plain language.
One of the big challenges here is that GDPR actually requires more information to be provided to data subjects, but for that information to be communicated in a quick and easy manner. The key is to have the aim of ensuring that the data subject really understands in detail how their data will be used.
So what should my privacy notice say?
Your privacy notice should detail the different categories of personal data that your business is collecting and the reasons why it is doing so. A key consideration for most businesses will be the lawful basis on which they are relying in order to process particular categories of data. Such bases can include processing based on:
- the data subject’s consent;
- the business’ legitimate interests; or
- the performance of a contract.
There is a level of technicality to this particular consideration that emphasises the benefit in obtaining legal advice in this area.