It has been almost one year since the General Data Protection Act (GDPR) came into force. Most of us are used to having to click through at least one data protection related notice every time we go to a website. And fines have been issued, with Google being the first recipient, receiving a €50 million (£44 million) penalty from the French data protection authority CNIL .

Even though most organisations understand their GDPR compliance requirements, one area continues to flummox many. The creation of a privacy policy.

However, there is still some confusion around GDPR compliance, especially in relation to drafting a GDPR compliant privacy policy.

In this article, we take you through the required steps.

What exactly is a privacy policy?

A privacy policy is a statement which confirms how your business or charity applies data protection principles to the collection and processing of data. It is referred to under art. 24 of the GDPR, which states:

“[w]here proportionate in relation to processing activities, […] measures […] shall include the implementation of appropriate data protection policies by the controller.”

What does the GDPR say about privacy policies?

A data processors duty to provide privacy information to data owners is outlined in art. 12, 13, and 14 of the GDPR. To be compliant, your organisation’s privacy policy must be:

  • simple, transparent, and easily visible
  • free to access
  • written in plain language

As you can see, there is no place for ‘small print’ when it comes to privacy policies.

What should a privacy policy contain?

A compliant privacy policy should explain the following:

The name and purpose of your organisation

Who you are and what you do.

How your business comes to acquire personal data

You need to point out the circumstances which lead to a person’s data being collected by your organisation. For example, a lot of personal data is provided by the data owner when they sign up to a service or buy a product. If someone opens an account at your company’s online store, they will need to provide data regarding their name, postal address, and email address. Data regarding a customer’s activities on your company’s website may also be acquired, along with their IP address. Regulatory bodies such as the Financial Conduct Authority may get hold of personal data following an investigation.

Every organisation will be unique; therefore, you cannot simply copy and paste from another organisation’s privacy policy. You need to clearly ascertain how your business, charity or body collects personal data and spell this out clearly in your policy.

The purposes for which your organisation is processing personal data

You need to tell people the purposes for which the personal data which you have collected will be used. Examples include:

  • providing the information, products, or services requested
  • processing job applications
  • meeting contractual obligations between your organisation and the data owners
  • supplying marketing material for which the data owner has ‘opted-in’

How long you will store a person’s personal data

In most cases, your privacy policy should state that a person’s information will only be kept for as long as operationally and/or legally required. For example, some information is required to fulfil certain tax or health and safety obligations. You do not need to spell out each of these individually but make it clear that data may be retained for these purposes.

Will personal information be shared with third parties?

It is crucial you clearly state your policy on sharing data. If you are sharing personal data with a third party, you must seek every data owner’s permission before you do so. This is done by way of a clear privacy notice which should state who the recipients of the information will be, or at least the types of recipients.

There may be situations where the data controller must pass on information to a third party without consent, such as in a police investigation.

You must have contracts in place with any third-party data processors who you pass on information to. The contract should set out the nature, duration, and purpose of the processing and that the data processor must comply with the GDPR and take appropriate security measures.

The rights of data owners

Your organisation’s privacy policy should clearly spell out the rights of data owners. They should be informed they have the right to:

  • access any personal data
  • make corrections to any incorrect or out-of-date information
  • request the deletion of any personal data that is not required to be maintained by your organisation for legal or tax purposes
  • state they want to prevent their data being used for direct marketing purposes
  • withdraw any previous consent regarding the use of personal data

Whether the business intends to transfer it to another country

Primarily, the GDPR relates to the rights of data owners in the European Union. This means certain rights may be lost if personal data is transferred outside the EU. Therefore, the GDPR restricts the international transferring of personal data unless rights can be protected in another way or an exception applies such as the person has provided their consent for the restricted transfer or the transfer is necessary to perform a contractual obligation. This needs to be clearly outlined in your privacy policy.

Automated decision-making or profiling

Ah, those robots. To carry out compliant automated decision-making or profiling, you need to document the lawful basis for which these functions will be carried out in your privacy policy. You also need to explain how individuals can access details of the information used to create their profile. Any profiling or automated decision-making concerning vulnerable groups such as children should have additional protection measures in place.

Make sure your privacy policy states that you have these safeguards in place and show you have carried out a Data Protection Impact Assessment before engaging in any new automated decision-making or profiling. The latter is not obligatory, but the Information Commissioner’s Office (ICO) states it is best practice.

Final words

As organisations become confident with the GDPR and the courts and ICO release further guidance and decisions, the contents of what must be contained in a privacy policy will become clearer. For now, the best guidance comes from the ICO and your Solicitor, who can advise you on how the GDPR applies to your unique business, charity, or body.

Saracens Solicitors is a multi-service law firm based in Central London. We have dedicated and highly experienced commercial law solicitors who can advise you on all GDPR matters. For more information, please call our office on 020 3588 3500.