How to write a GDPR data privacy notice in 2020
The GDPR (General Data Protection Regulation gives individuals more control over how their personal data is used.If your organisation processes personal data, the Regulation requires you to provide data subjects with certain information. This typically takes the form of a data privacy statement or privacy notice.But what is a data privacy notice, and what should it contain? This post explains everything you need to know.
A GDPR privacy notice is an important way to help your customers make informed decisions about the data you collect and use. We’ve brought together some information from the law itself and from the EU’s guidance documents to help you understand the components of a good privacy notice. And at the bottom, we’ve included a privacy notice template that you can adapt to your own organization.A privacy notice is a document that organisations give to individuals to explain how their personal data is processed.There are two reasons for doing this. First, it ensures that you’re as transparent as possible with data subjects. This prevents any confusion about the way personal data is being used and ensures a level of trust between the organisation and the individual.Second, it gives individuals more control over the way their data is collected and used. If there’s something the data subject isn’t happy with, they can query it via a DSAR and potentially ask the organisation to suspend that processing activity.
How to write a privacy notice?
The first thing to include in your privacy notice is the name, address, email address and telephone number of your organisation.If you’ve appointed a DPO(data protection office) or EU representative, you should also include their contact details.
The definition of personal data is a lot broader than you might think.Ensure you include everything that you’re collecting and do so as specifically as possible.For example, instead of just saying ‘financial information’, state whether it’s account numbers, credit card numbers, etc.You should also outline where you obtained the information if it wasn’t provided by the data subject directly.
3) Lawful basis for processing personal data
4) How you process personal data?
You must explain whether you will be sharing the personal data you collect with any third parties.We suggest also specifying how you will protect shared data, particularly when the third party is based outside the EU.
5) How long you’ll be keeping their data?
The GDPR states that you can only retain personal data for as long as the legal basis for processing is applicable. In most cases, that will be easy to determine. For example, data processed to fulfill contracts should be stored for as long as the organisation performs the task to which the contract applies.Likewise, organisations that process data on the grounds of a legal obligation public task or vital interest should hold on to the data while those processing activities are relevant.Things are trickier with consent and legitimate interests, as there is no clear point at which they’re no longer valid.As such, we recommend reviewing any processing that involves these lawful bases at least every two years.
6) Data subject rights
The GDPR gives individuals eight data subject right which you should list and explain in your privacy notice:
Right of access: individuals have the right to request a copy of the information that an organisation holds on them.
Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.
Right of portability: individuals can request that organisation transfer any data that it holds on them to another company.
Right of rectification: individuals have the right to correct data that is inaccurate or incomplete.
Right to be forgotten: in certain circumstances, individuals can ask organisations to erase any personal data that’s stored on them.
Right to restrict processing: individuals can request that an organisation limits the way it uses personal data.
Right to be informed: organisations must tell individuals what data of theirs is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
Rights related to automated decision making including profiling: individuals can ask organisations to provide a copy of its automated processing activities if they believe the data is being processed unlawfully. You should also remind individuals that they are free to exercise their rights and explain how they can do this.