How to write a privacy notice

How to write a Privacy Notice

By Rebecca Wong - October 8th, 2019 Posted in Data Protection

Article 5 (1) describes the first of seven principles upon which the GDPR is formulated. It states that personal data shall be (a) processed lawfully, fairly and in a transparent manner in relation to individuals. It’s the transparency element that the provision of a privacy notice falls under. The principle/concept of transparency in terms of collection and processing of personal data isn’t rocket science, you just need to be clear, open and honest from the outset, with the people whose personal data you are collecting and processing, as to what you are collecting it, why you need it, and what you are going to do with it. Having said that, if you are to be compliant with GDPR it is important that your privacy notice includes all the required elements. If you miss anything out or apply the wrong lawful basis for processing data for example, you risk action from the ICO, so in this blog we explain how to write a privacy notice.

What does a privacy notice need to include?

Before we go into the exact requirements, it’s important to note that the way a privacy notice is written, I.e. the language that is used is as important as the information you put in it. Art. 12 of the General Data Protection Regulation (“GDPR”) details the requirements of the privacy notice, and it states that it should be written so that the data subject can understand it. If your data subjects are children, the language you use should be tailored for children to understand. In all instances it should be concise, transparent, intelligible and in an easily accessible form and it should use clear and plain language.

Far from being an onerous task, being open and upfront about what you intend to do with the data should be viewed as an opportunity on your part to develop trust with your customers. It also demonstrates compliance with the GDPR principles: fairness, purpose limitation, consent and legitimate interest.

What does the privacy notice need to include?

To be GDPR compliant, your privacy notice should include the following:

  • The name and contact details of the data controller
  • The contact details for the DPO, if you have designated one
  • The types of personal data you are collecting and processing
  • The purposes for which you collect and process personal data
  • The legal basis for each processing purpose
  • Information about what personal data you share and the categories of recipients
  • Whether you transfer personal data to third countries (those outside the EEA without an ‘adequacy decision’)
  • Information about the period for which the information will be processed and stored
  • Details of data subjects’ rights, which are: the right to be informed; the right of access; the right to rectification; the right to erasure or restrict processing; the right not to be subject to automated decision-making (if this applies)
  • Who to complain to with relevant contact details. For the UK, this would be the ICO’s address.

If you rely on ‘legitimate interest’ as a legal basis for processing personal data, you also need to state what your interest is.

What is the legal basis for collecting information?

The third point above mentions the correct legal basis for collecting personal information.  Under Art. 6 of GDPR, there are 6 legal bases for processing personal data. These are;

  • Consent
  • Performance of a contract
  • Legitimate interest
  • Compliance with a legal obligation
  • Vital interests
  • Public task

Choosing the correct legal basis for processing data is important because it is difficult to change once you have stated your reason for doing so and started collecting it under a particular basis.

Where one or more than one legal basis applies, you should choose the most appropriate. If a special category of data is being processed, not only does a lawful basis for general processing need to be identified but an additional condition for processing this type of data needs to be considered under Art. 9 GDPR.

The subject of legal bases for processing data is a blog in itself, and I’m conscious of going off subject here but for brevity, the ICO has provided a guide to help you decide which legal basis is more appropriate.  Legitimate Interest is the most complex bases to apply, we have a blog on this here.

Who is the audience?

As an organisation, you will most likely collect data from different groups of people for different reasons. Personal data that you collect from on-line customers and your reasons for do so will be completely different to that of your employees, so you will need different privacy notices tailored to each audience.

When should the privacy notice be provided and how?

There are two scenarios here. If you, as the data controller, directly obtain the information from the data subject, you should provide the privacy notice at the time of obtaining that personal data. If you have not obtained the information directly from the data subject, if for example you are a third-party supplier and have received the data from your client (the data controller), then you have up to one month from the first communication with the data subject to provide your privacy notice to them.

What are best practices around privacy notices?

Your business sector and the type and quantity of data you are collecting will affect the length and complexity of your privacy notice.  For example, our privacy notice is relatively simple and short.  That’s because as a consultancy, we don’t need reems of personal data to help our clients with their job.  A business, like Tesco is more complex. Although its primarily a food retailer, it has many different divisions, such as banking, insurance, mobile telephony, pharmacy, optician and it uses its customer data across these business units to enhance its marketing and cross sell its various services, consequently, it has a much more complex explanation to make in its privacy notice. This complexity can be reduced in the way it is presented. Using headings and drop-down menus presents the information in manageable chunks, this is called a layered approach and makes it altogether easier to understand and digest.

Added to this concept is a ‘blended approach’.  The term ‘Privacy notice’ is somewhat misleading in that it makes it sound like a single document which can be presented in one format, but this is not the case. You can alert your customers to their privacy rights using the various media that you already use to communicate with your customer’s, this could be on the telephone, via printed posters or text messages.  I’ve noticed that lately, BBC radio stations have started to include the location of their full privacy policy to listeners at the end of their jingles. Microsoft use a dashboard enabling users to easily access their information and control it themselves.

Need help?

Before you craft your privacy notice, you need to know what personal data you process, what you use it for, where you store it, how long for and what third-parties if any, you send it to. If you would like some advice or support with your privacy notice or in pulling this information together, contact us for a friendly chat.

ENQUIRE NOW