Pop quiz: would your privacy notices pass the test?

Every business that collects and handles personal data needs a privacy notice, because people have the legal right to know how their personal information is used.

By law, a company’s privacy notice must explain how any such information collected will be used and protected.

But when was the last time your organisation reviewed its privacy notice? Most people do not read them in detail. Instead, they click ‘agree’ to access a website or app, which can make it easy for organisations to overlook their importance.

So, would your privacy notice pass the test? Take our test to find out.

Q1: Does your privacy policy include contact details for enquiries?

It should include at least an email address so individuals can contact your organisation with questions.

Q2: How many data subject access rights does your privacy policy identify and explain?

Your privacy policy should explain all key data protection rights, including:

• Right to be informed: The right for individuals to receive clear, concise and transparent privacy information detailing how their data is used
• Right of access: The right for individuals to request copies of personal information, commonly known as a Subject Access Request (SAR)
• Right to rectification: The right to demand that an organisation corrects inaccurate or incomplete personal data
• Right to erasure: Often called the “right to be forgotten”, this allows a person to request the deletion or removal of their personal data in certain circumstances
• Right to restrict processing: The right to ask organisations to limit or suppress the use of personal data
• Right to data portability: The right of an individual to obtain their personal data in a structured, commonly used and machine-readable format to reuse with another service
• Right to object: a person’s right to object to the processing of their data for specific purposes, such as direct marketing
• Rights regarding automated decision-making: This is the right not to be subject to decisions made solely by automated means without human intervention, and to request human intervention or challenge such decisions.

Q3: Which article 6 legal basis is best to rely on to process personal data?

This is a trick question. Any legal basis can be appropriate, provided it accurately reflects why you are processing the data and the processing is genuinely necessary.

Q4: Do you have to include a retention period, and how long should it be?

Yes. Your privacy policy should indicate how long personal data will be retained, even if this is expressed in general terms, such as ‘as long as necessary to meet legal and tax requirements’.

The more precise you can be, the better. A common recommendation is seven years from the date of last contact with the individual, although some records may need to be retained indefinitely.

Q5: Does the privacy policy include reference to your cookie policy (or does your website feature a cookie banner with an accept/refuse function)?

Your privacy policy should include a cookie policy or link to one, or your website should feature a cookie banner with accept and refuse options. If no cookies are used, this should be clearly stated.

Q6: Who should individuals submit a complaint to, and should you provide contact details?

In the first instance, the company/controller should provide a complaint procedure with contact details. As a second step, data subjects can complaint to the ICO (Information Commissioners Office). The privacy policy should contain both sets of contact details.

Q7: When can you share personal data with third parties?

You can share personal data where individuals have been informed and where appropriate safeguards and documentation are in place to govern how that data is processed or shared.

Q8: Why are processors or sub-processors relevant to your privacy policy?

Because they should be referenced in your privacy policy. Ideally, processors should be named. If that is not practical, they should at least be described by category.

Q9: If you process payments through your website, should this be mentioned?

Yes. Your privacy policy should explain that financial transactions take place and whether payments are handled internally or via independent third-party payment providers.

Q10: Can you send personal data overseas if this is mentioned in the privacy policy?

Yes and no. International transfers should be clearly explained in your privacy policy. In most cases, overseas transfers require appropriate international data transfer agreements, although some exceptions may apply. International transfers involve multiple legal considerations and should be approached with care.

Did you get 10 out of 10?

If not, it may be time to review and update your privacy policy. Organisations can be prosecuted or fined if their privacy policies are wrong or misleading. In the UK, enforcement action is taken by the Information Commissioner’s Office (ICO).

What your privacy policy must always include

Every privacy policy should provide the name and contact details of your organisation. This must include at least an email so individuals can get in contact to ask questions.

It also needs to explain how your organisation uses personal data – and to be clear about each purpose, such as for marketing, order processing or administration, and what the legitimate interests for the processing are.

The privacy policy will also need to include how long your organisation will keep personal data for, or if you don’t have a specific retention period, then you must explain the criteria used in deciding how long you will keep their information.

And you must tell people which rights they have in respect of the processing, and that they have the right to lodge a complaint with a supervisory authority.