What must a privacy notice do?
The GDPR is prescriptive about the information that a privacy notice must contain, including that it must be presented in both clear and intelligible language. The EU and UK data regulators have provided interpretative guidance around when to provide notices and how to draft them, for instance, they confirm that the privacy notice should never be hidden away in the fine print of contract – see Article 29 Working Party Guidelines on transparency under Regulation 2016/679
A comprehensive list of the information which must be covered in a privacy notice is set out in the GDPR (under articles 13 and 14). The rules differ slightly depending on whether your organisation is collecting personal data from an individual itself or is relying on a separate business to collect the data. The information requirements include identifying the data controller (which may or may not be the organisation which is presenting the notice – as noted above), stating your organisation's purposes for processing personal data and setting out the data protection rights available to individuals.
Where do organisations struggle?
In our experience (across the UK and globally) the most common issues are:
1. No clear retention period stated
A number of organisations still state that personal data will be held for 'as long as is necessary' which is too vague to satisfy this legal requirement.
2. No suitable legal ground
Personal data can only be held lawfully if there are valid legal grounds applicable – such as 'consent' obtained from the individual or if it is necessary to process data for the 'performance of a contract' with the individual. Organisations often fail to clearly indicate the legal ground to be relied upon, or identify invalid/unsuitable grounds for that particular data set. To make things more difficult, there are often restrictions as to when each legal ground can be used. (For more on legal ground, please click here).
3. Not naming the recipients of data sharing
Organisations must provide specific details of any recipient of an individual's personal data. Stating that data is being shared with "trusted partners", for instance, is not sufficient.
4. International transfers
The privacy notice should indicate whether transfers of personal data will be made outside the EEA and if so, what safeguards are in place to protect the personal data. This is often overlooked. (For more on model clauses, please click here)
The ICO have been clear that if an organisation is likely to process children's data, the notice needs to be designed with age-appropriateness in mind.
Getting it wrong
Regulatory scrutiny can occur following a reported data breach.
UK and EU Regulators have been known to conduct random online sweeps of data protection compliance within a particular sector or industry, identifying frequent and often fundamental failures.
A non-existent or non-compliant privacy notice can attract a variety of sanctions, including a fine. In 2019 an EU regulator fined the Polish digital marketing company, Bisnode €220,000 for failures to directly provide individuals with a privacy notice. This was in contravention of Article 14 of the GDPR. Bisnode had gathered contact details from both publically available and non-publically available sources. Their attempt to rely on an exemption concerning impossibility or disproportionate effort to inform was not successful neither was an argument that they had provided a privacy notice on their website so didn't need to directly inform the individuals.
How we can help
We offer a full suite of data protection compliance services (including expert advice, access to resources, data breach support, training and audits).
Contact our data protection specialists to discuss how we can help your organisation achieve good data governance while maximising opportunities.