It has been almost one year since the General Data Protection Act (GDPR) came into force. Most of us are used to having to click through at least one data protection related notice every time we go to a website. And fines have been issued, with Google being the first recipient, receiving a €50 million (£44 million) penalty from the French data protection authority CNIL .
In this article, we take you through the required steps.
“[w]here proportionate in relation to processing activities, […] measures […] shall include the implementation of appropriate data protection policies by the controller.”
What does the GDPR say about privacy policies?
- simple, transparent, and easily visible
- free to access
- written in plain language
As you can see, there is no place for ‘small print’ when it comes to privacy policies.
The name and purpose of your organisation
Who you are and what you do.
How your business comes to acquire personal data
You need to point out the circumstances which lead to a person’s data being collected by your organisation. For example, a lot of personal data is provided by the data owner when they sign up to a service or buy a product. If someone opens an account at your company’s online store, they will need to provide data regarding their name, postal address, and email address. Data regarding a customer’s activities on your company’s website may also be acquired, along with their IP address. Regulatory bodies such as the Financial Conduct Authority may get hold of personal data following an investigation.
The purposes for which your organisation is processing personal data
You need to tell people the purposes for which the personal data which you have collected will be used. Examples include:
- providing the information, products, or services requested
- processing job applications
- meeting contractual obligations between your organisation and the data owners
- supplying marketing material for which the data owner has ‘opted-in’
How long you will store a person’s personal data
Will personal information be shared with third parties?
It is crucial you clearly state your policy on sharing data. If you are sharing personal data with a third party, you must seek every data owner’s permission before you do so. This is done by way of a clear privacy notice which should state who the recipients of the information will be, or at least the types of recipients.
There may be situations where the data controller must pass on information to a third party without consent, such as in a police investigation.
You must have contracts in place with any third-party data processors who you pass on information to. The contract should set out the nature, duration, and purpose of the processing and that the data processor must comply with the GDPR and take appropriate security measures.
The rights of data owners
- access any personal data
- make corrections to any incorrect or out-of-date information
- request the deletion of any personal data that is not required to be maintained by your organisation for legal or tax purposes
- state they want to prevent their data being used for direct marketing purposes
- withdraw any previous consent regarding the use of personal data
Whether the business intends to transfer it to another country
Automated decision-making or profiling
Saracens Solicitors is a multi-service law firm based in Central London. We have dedicated and highly experienced commercial law solicitors who can advise you on all GDPR matters. For more information, please call our office on 020 3588 3500.
Do you have any comments to make on this article? Please feel free to add them to the section below.