GDPR – don’t overlook your privacy notice
The GDPR comes into effect on 25 May, which does not leave your organisation much time to comply. While you’ve most likely been busy making the necessary high-level GDPR revisions, such as to how you obtain clients’ consent, you may be overlooking a key GDPR component—your privacy notice. These notices provide data subjects, such as your employees, customers and prospects, with clear information on how their personal data will be handled and collected, and they are one of the quickest and easiest GDPR requirements to satisfy.
Unfortunately, even if your organisation already has a privacy notice, it most likely is not compliant with the GDPR. If you don’t update your privacy notices, you could receive a fine of up to €20 million (roughly £16 million) or 4% of your annual turnover, whichever is higher.
To help update your privacy notice, the Information Commissioner’s Office (ICO) released a list of 10 things that must be included:
- Identity and contact details of the data controller and the data protection officer
- Purpose of the processing and its legal basis
- The legitimate interests of the controller or third party
- Any recipients or categories of recipients of the personal data
- Details of transfers to non-EU countries and safeguards
- Retention period or criteria used to determine the retention period
- The existence of data subject’s rights
- The right to withdraw consent at any time
- The right to lodge a complaint with a supervisory authority
- The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
This list forms the base requirements of what you must include in your privacy notices—be sure to seek out specific information from the ICO on GDPR privacy notices, as your specific circumstances may require more information.
Also remember that the GDPR says that the information you provide to people about how you process their personal data must be concise, transparent, intelligible and easily accessible. That means no jargon, that it’s written in clear and plain language, and that it is free of charge.