Privacy Notices are not new.
Most companies have some form of privacy notice on their website. To date, they have been deployed “en masse” and for the most part without any real thought to address the main focus of a privacy notice – to detail the personal data processing activities of the organisation. Most privacy notices are generic and use boilerplate language. Placed side by side, it would be difficult to figure out the personal data and services provided by one organisation over another even where their processing activities and personal data collected are completely different.
Under the GDPR privacy notices can no longer be generic.
Article 13 of the GDPR is very prescriptive on the information that must be provided to the data subject at the time their personal data is collected.
Article 12 states that information must be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”.
Article 12 (7) also states that the information must be provided in order to give an “easily visible, intelligible and clearly legible….and meaningful overview of the intended processing”. So, no more repetition of the data protection principles ad nauseam.
The GDPR increases the amount of information that needs to be included in a privacy notice and yet paradoxically requires that the privacy notice should be “concise”.
Article 13 requires that the privacy notice should include the following information:
- the identity and the contact details of the controller
- the contact details of the data protection officer
- the purposes and legal basis for the processing
- where the processing is based on legitimate interests, details of what these are
- the recipients or categories of recipients of the personal data
- details of any transfer to a third country and details of the safeguards and the means by which to obtain a copy of them or where they have been made available
- the retention periods or the criteria used to determine that period>
- details on rights of access to and rectification/deletion of personal data. Rights to object to processing and the right to data portability
- if processing is based on consent, the right to withdraw consent
- the right to lodge a complaint with the supervisory authority
- details on whether the data subject is obliged to provide the personal data and the consequences of failure to provide it
- details of any automated decision making, including details of the logic used and potential consequences for the individual
This is clearly a significant departure from the privacy notices of old and some of these provisions will start some heads scratching. Note the requirements of Article 12 and 13 are only relevant to data controllers however many data processors may well volunteer a privacy notice to identify their role in proceedings.
A privacy notice is also a helpful step towards compliance with other provisions of the GDPR, that are relevant to data processors, such as the data protection principles at Article 5.
One of the first steps to meeting the requirements of Article 12 and 13 and indeed compliance with the GDPR, in general, is to know your data.
We have written previously about building your data catalogue. Without answering all the questions required as part of a data catalogue it will be impossible to draft your privacy notice so that it is compliant with GDPR. You can spot the Privacy Notice that is “meaningful” a mile away. Take your first vital step toward compliance and make your privacy notice stand out from the crowd. Build a data catalog and then draft a “meaningful” privacy notice.
Or better still call in the experts and have Fort Privacy do it for you!