With the prospect of increased regulatory activity ahead, it is important for businesses and organisations to ensure that their Privacy Notices are compliant.
Under GDPR, data controllers must provide individuals with mandatory information about the processing of their personal data and their rights, and the most effective way to do this is by a Privacy Notice (sometimes referred to as a Privacy Policy or a Privacy Statement, but the name is not important – what matters is the content and how it is provided).
Privacy Notices are an essential part of GDPR transparency obligations, and it should be transparent to individuals that their personal data is being processed, to what extent, and what their rights are.
More than one Privacy Notice version may be needed depending on the category of individuals involved (customers, employees, etc.).
The information has to be provided in a clear, easily accessible format at the time personal data is obtained from individuals, or within one month when obtained from another source.
The mandatory categories of information to be provided are set out in Articles 13-14, and include purposes of processing, legal basis for processing, legitimate interests for processing (if applicable), data sharing, international transfers, and data retention.
Working all this out, with documentation to meet the requirements of accountability, can be challenging for businesses and organisations.
It may be necessary to refresh data mapping or review justifications for legal basis.
Privacy Notices should also align with the Records of Processing Activities (Article 30).
Privacy Notices are a critical part of GDPR compliance, but they are not a once-off exercise, and must be kept under review to reflect your processing activities.