Privacy Notices or Privacy Policies – What Are They and Why Do We Need Them?
Posted on 18th June 2020 at 07:56
Under the DPA98, data always had to be processed lawfully and fairly, under the GDPR this was uplifted to Lawfully, Fairly and Transparently.
This means that organisations have a legal obligation to be open and honest about what personal data they process, for what purpose, under what lawful basis, how long they keep it, who it's shared with, and a host of other things.
The right to be informed is covered by Art 12- 14 of the GDPR, and guidance has been provided by the A29WP via their Transparency guidelines and summarised by the ICO on their site.
The way most organisations have attempted to fulfill these requirements is by placing a Privacy Notice (N.B. A Notice is external, a Policy is Internal) on their website. The privacy notice can't be buried 5 pages in, it needs to be clearly displayed on the website – most people tend to place the link in the footer of each page.
Unfortunately, many companies have used boiler plate templates that neither reflect the actual processing that their organisation does, nor is actually understood by the organisation themselves. This second one risks being being non-compliant to Art 5.2 – Accountability if there are complaints or queries about the content. (e.g. Hall and Hanley)
A privacy notice needs to properly represent the actual processing performed by your organisation and not an imaginary business that does something similar. The paperwork must match the reality.
This is why there are no templates provided by regulatory bodies such as the ICO, or good consultants. The best a business could hope to get from a template is a series of headings. A chiropractic clinic will process very different information from an engineering company; Netflix will process way more profiling data than for example a logistics and delivery company. This means that there is no one size fits all template – because it would be meaningless. If you do belong to a professional body, it's possible they will have a semi-suitable template because all members of the body do similar things.
However, you will still need to adapt the policy to your individual circumstances and understand what it says if you are to be accountable.
The ONLY purpose of a Privacy notice is to serve. It never forms part of the T&Cs of service and is never agreed to, consented to, accepted by check-box or otherwise. If you read a Privacy Notice that says this, run for the hills and get them to take advice from someone who knows what they're doing.
It's also worth saying that a privacy notice is an output of a lot of other foundation work, and this is often overlooked. Art 30 Records of Processing
Activity is a must have, regardless of the number of employees you have. If you don't have your data mapped out with your lawful bases, how can you possibly describe what you do and why, to the people served by the privacy notice? It would be a bit like trying to build a house without foundations, and would result in the same ending.
I've heard it said by one company that they don't need a privacy notice because they are business to business only.
Wrong – Transparency is a legal requirement whenever you are processing personal data. An email that is name.surname@organisation is still personal data. An email that is info@organisation could also easily be personal data is there is only one director in a Limited Company.
If there is any way at all of identifying individuals, either from the data itself, or in combination with other data, it is personal data, and you need to be transparent about how it's handled.
There is a lot more that could be said about privacy notices, and I could provide some humdinging examples of how to do it badly, as well as some pretty good ones too, but this isn't the place for that.
These Links Might be helpful:
If you feel like you need specific advice, get in contact with me at firstname.lastname@example.org and I will be happy to discuss requirements.
Share this post: