With the prospect of increased regulatory activity ahead, it is important for businesses and organisations to ensure that their Privacy Notices are compliant.
Privacy Notices are an essential part of GDPR transparency obligations, and it should be transparent to individuals that their personal data is being processed, to what extent, and what their rights are.
More than one Privacy Notice version may be needed depending on the category of individuals involved (customers, employees, etc.).
The information has to be provided in a clear, easily accessible format at the time personal data is obtained from individuals, or within one month when obtained from another source.
The mandatory categories of information to be provided are set out in Articles 13-14, and include purposes of processing, legal basis for processing, legitimate interests for processing (if applicable), data sharing, international transfers, and data retention.
Working all this out, with documentation to meet the requirements of accountability, can be challenging for businesses and organisations.
It may be necessary to refresh data mapping or review justifications for legal basis.
Privacy Notices should also align with the Records of Processing Activities (Article 30).
Privacy Notices are a critical part of GDPR compliance, but they are not a once-off exercise, and must be kept under review to reflect your processing activities.