Is Your Privacy Policy GDPR Ready?

Goodness, it feels like the GDPR has been around forever!

Darn, it’s less than two weeks before I have to be GDPR compliant!

Pah – the GDPR is a lot of work!

Ready? Am I really ready?

I think we can all admit that we’ve probably thought these things (or worse!) when it comes to the General Data Protection Regulation (GDPR). 

By now you would (or should!) have; conducted a data flow audit on your business, trained staff on the new regulations, considered appointing a data protection manager or officer if necessary, reviewed current contracts with suppliers and customers, prepared tools and processes to document and implement compliance, ensured policies are in place for data subject access requests, prepared a plan for data breaches and notification requirements AND updated your privacy policy for your website. Phew!

Updating the privacy policy is not intentionally the last item on the list but it will be easier to write your privacy policy once you have conducted your data flow audit and understand what personal data you hold, where the data comes from, whether it is shared with third parties and so on.

What information do I need to provide in my policy?

Under the GDPR, which is geared towards transparency and fairness to individuals, organisations have to provide users with extensive information about the processing of their personal data compared to the current requirements under the Data Protection Act 1998. The GDPR (articles 13 and 14) explicitly requires data controllers to inform data subjects of the following information:

• the data controller’s identity and contact details;
• details of the data protection officer, if the organisation is required to have one;
• the purpose and legal basis for processing;
• if the legal basis for processing is legitimate interest, what that interest is;
• recipients, or categories of recipients of the personal data;
• whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data;
• how long the personal data will be retained and if no time frame can be provided how the retention period will be calculated;
• the data subject rights (access to, rectification, erasure, restriction, data portability, withdraw consent, complaints);
• if there is a statutory or contractual requirement for the data subject to provide personal data, what the consequences are for failing to do so;
• if any automated decision making, for example, profiling, is being carried out and information about such automated decision making; and
• the data controller’s source of the personal data, if it has not been provided directly to the data controller by the data subject.

How do you start creating your Privacy Policy?

As mentioned, your data flow audit is the ideal starting point. You should collate your data into the following categories which you could use as headings within your policy:

• what personal data is collected e.g. name, addresses, email addresses, financial information, payment details, photographs, dietary requirements, medical records etc.
• how personal data is collected. Does information come from the customer directly, via a third party or through technical means for example cookies?
• why such personal data is collected and the legal basis for processing such data. Article 6 of the GDPR sets out the legal basis for processing personal data and article 9 of the GDPR sets out the legal basis for processing ‘special category’ personal data which includes race, religion and health amongst others. Has the Customer given their consent or do you require the information as part of providing your services?
• when is personal data shared with third parties? For example you may use your accountant for your payroll or an IT company to provide network and computer assistance;
• whether data is transferred outside of the European Economic Area (EEA). Do your travelling sales representatives log onto your IT network remotely from outside the EEA? In which country is your IT data hosted?; and
• how long personal data is kept for and the reasons for keeping the information for that period.

The responses to the above will form the foundation of your privacy policy.

Is there anything else I should include?

Yes, you must inform individuals of their enhanced rights under the GDPR and how they can exercise them. Therefore your privacy policy should also tell data subjects of their right to:

• access personal data held about them and have it deleted and/or corrected;
• object to processing (for example, direct marketing);
• data portability (i.e. have it transferred to another entity);
• complain about processing carried out by the data controller; and
• object to automated decision making.

Where and how should I display my privacy policy?

Under the GDPR privacy notices must be concise, transparent, intelligible and easily accessible. Therefore how and where you display the privacy policy on your website is key. In practice your policy should:

• be easily accessible and displayed prominently. If the link to your policy involves scrolling down through a large amount of text then arguably this is not “accessible”;
• use language that is clear, straightforward and free from legal jargon;
• be formatted in a way that it can be printed; and
• provide an accurate translation if the organisation targets data subjects in non-English speaking countries.
• If your policy is quite lengthy then consider a two tiered approach where a short form policy with a link to the full version is used. The short form should contain the main information such as the identity of the data controller, how data is collected, the legal basis for processing and the individual’s rights. The full version can be more detailed and contain tools and/or links to help individuals navigate through the document.

If you are still in the process of taking steps towards GDPR compliance, then please don’t panic, there is still time. If you would like assistance with your privacy policy or any other GDPR advice then please get in touch with a specialist member of the team. Or if you have any specific questions contact our expert GDPR solicitor Abi Sinden on 01202 057751 or send an email enquiry.