Stephanie Coulson, commercial law and data protection specialist at Muckle LLP, says transparency is key to the new privacy notices required for May's new General Data Protection Regulation (GDPR).
A key document needed to comply with the new GDPR is your privacy notice – and there are more requirements than before! Thankfully there’s also plenty of guidance out there to help.
What do I have to tell people?
– Who the data controller is
Put people first: as with all the provisions of the GDPR, the rights of the individuals (and the need to protect those rights) are paramount.
Stephanie Coulson, Muckle LLP– Contact details for the data protection officer
– Purposes and legal basis for processing data
– Third parties who will receive the information
– Whether the information will be transferred to other countries and what safeguards are in place
– Storage periods
– Individuals’ rights (including the right to lodge a complaint to the Information Commissioner’s Office(ICO))
– Whether the requirement to provide the information is statutory or contractual
– Whether you do any automated decisionmaking (including profiling)
Where do I start?
The Article 29 Working Party has released guidelines on transparency and the ICO has published ‘Children and the GDPR Guidance’. The best place to start, however, is looking inwards to identify your audience, what information you need from them and what you are going to do with it. Then apply the guidance when you update your privacy notices.
How do I tell people we have changed the notice?
It’s important to tell people when you have made changes. The guidance makes it clear that just asking people in the body of the notice to “check back regularly” for changes is not fair. Why not think about pop-ups or sending specific update messages or other different ways to communicate your changes?
Some tips to help
Keep it snappy: making your privacy notice thorough and detailed might reassure you nothing is missing but the GDPR needs it to be clear, concise and easy for your customers to read.
Captivate: the written word isn’t the only way to communicate. Think about combining it with pictures, flowcharts and audio. You could even layer your notices electronically. Tailor: standard template wording won’t do. You need to tailor your privacy notices. If your audience is predominantly children for example, make sure the language you use is child-friendly and consider using pictures, audio or other devices to explain your privacy practices clearly.
Put people first: as with all the provisions of the GDPR, the rights of the individuals (and the need to protect those rights) are paramount.
Review: as technology advances and practices change, don’t forget that your privacy notice needs to change too.
Accountability: keep a record of your process when drafting your new privacy notice (including whether you decided to trial it before going live).