Transparency about how you will use an individual’s personal data is a key element of the General Data Protection Regulation (GDPR).
The GDPR, which comes into force on 25 May 2018 sets out that a data controller must provide certain information to individuals, which is more detailed and specific than the current requirements under the Data Protection Act 1998.
The information you provide to individuals about how you process their personal data must be provided promptly and be in a concise, transparent, intelligible and easily accessible form, using clear and plain language, (particularly if addressed to a child) and must include the following:
- The identity and contact details of the data controller;
- The contact details of the data protection officer (if applicable);
- The purpose of the processing and its legal basis;
- Where processing is based on legitimate interests, what they are;
- Any recipients of the personal data;
- Details of any transfers to third countries and means of safeguarding;
- The retention period;
- The right for individuals (data subjects) to ask the data controller to access, rectify, erase, restrict or transfer their data to another controller;
- Where processing is based on consent, the data subject’s right to withdraw consent;
- The right to complain to the ICO;
- Whether the provision of personal data is a statutory or contractual requirement, or is necessary to enter into a contract, and whether the data subject is obliged to provide such personal data and the consequences of failure to do so;
- The existence of automated decision making (including profiling);
- Any further processing activities beyond the initial purpose.
One of the most common ways to provide individuals with this information is in a privacy notice. Under the GDPR, greater emphasis is placed on making privacy notices understandable and accessible by using the most appropriate mechanisms, for example, supplying them in a digital context on your website and/or email footers.
Providing a privacy notice is an important part of fair processing. To ensure transparency the Information Commissioner’s Office (ICO) recommends the following elements you will need to consider when planning a privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
How we can help you
Baines Wilson can assist in a variety of ways to get your business GDPR ready including providing training, planning a strategy and drafting, updating or checking your documentation. If you would like more information on how we can help you, please do not hesitate to contact Joanne Holborn, Tom Scaife or Caroline Rayner on 01228 552600 or 01524 548494.