How to write a GDPR data privacy notice in 2020

GDPR - ICSS

How to write a GDPR data privacy notice in 2020

Category : Blog

How to write a GDPR data privacy notice in 2020

The  GDPR (General Data Protection Regulation gives individuals more control over how their personal data is used.

If your organisation processes personal data, the Regulation requires you to provide data subjects with certain information. This typically takes the form of a data privacy statement or privacy notice.

But what is a data privacy notice, and what should it contain? This post explains everything you need to know.

GDPR Managed Service Providers in India

What is a privacy notice?

 

A GDPR privacy notice is an important way to help your customers make informed decisions about the data you collect and use. We’ve brought together some information from the law itself and from the EU’s guidance documents to help you understand the components of a good privacy notice. And at the bottom, we’ve included a privacy notice template that you can adapt to your own organization.

A privacy notice is a document that organisations give to individuals to explain how their personal data is processed.There are two reasons for doing this. First, it ensures that you’re as transparent as possible with data subjects. This prevents any confusion about the way personal data is being used and ensures a level of trust between the organisation and the individual.

Second, it gives individuals more control over the way their data is collected and used. If there’s something the data subject isn’t happy with, they can query it via a DSAR and potentially ask the organisation to suspend that processing activity.

Let us watch the different steps of writing a GDPR Data Privacy Notice through this video:

How to write a privacy notice?

 

1) Contact details

The first thing to include in your privacy notice is the name, address, email address and telephone number of your organisation.

If you’ve appointed a  DPO(data protection office) or  EU representative, you should also include their contact details.

 

2) The types of personal data you process

The definition of personal data is a lot broader than you might think.

Ensure you include everything that you’re collecting and do so as specifically as possible.

For example, instead of just saying ‘financial information’, state whether it’s account numbers, credit card numbers, etc.

You should also outline where you obtained the information if it wasn’t provided by the data subject directly.

3) Lawful basis for processing personal data

Under the GDPR, organisations can only process personal data if there is awful basic for doing so . Your privacy policy should specify which one you’re relying on for each processing purpose.

Additionally, if you are relying on legitimate interests, you must describe them. If you’re relying on consent, you should state that it can be withdrawn at any time.

4) How you process personal data?

You must explain whether you will be sharing the personal data you collect with any third parties.

We suggest also specifying how you will protect shared data, particularly when the third party is based outside the EU.

5) How long you’ll be keeping their data?

The GDPR states that you can only retain personal data for as long as the legal basis for processing is applicable. In most cases, that will be easy to determine. For example, data processed to fulfill contracts should be stored for as long as the organisation performs the task to which the contract applies.

Likewise, organisations that process data on the grounds of a legal obligation public task or vital interest should hold on to the data while those processing activities are relevant.

Things are trickier with consent and legitimate interests, as there is no clear point at which they’re no longer valid.

As such, we recommend reviewing any processing that involves these lawful bases at least every two years.

6) Data subject rights

 

The GDPR gives individuals eight data subject right which you should list and explain in your privacy notice:

  • Right of access: individuals have the right to request a copy of the information that an organisation holds on them.

 

  • Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.

 

  • Right of portability: individuals can request that organisation transfer any data that it holds on them to another company.

 

  • Right of rectification: individuals have the right to correct data that is inaccurate or incomplete.

 

  • Right to be forgotten: in certain circumstances, individuals can ask organisations to erase any personal data that’s stored on them.

 

  • Right to restrict processing: individuals can request that an organisation limits the way it uses personal data.

 

  • Right to be informed: organisations must tell individuals what data of theirs is being collected, how it’s being used, how long it will be kept, and whether it will be shared with any third parties.

 

  • Rights related to automated decision making including profiling: individuals can ask organisations to provide a copy of its automated processing activities if they believe the data is being processed unlawfully. You should also remind individuals that they are free to exercise their rights and explain how they can do this.

 

Is privacy notice the same as a privacy policy?

A privacy notice is a publicly accessible document produced for data subjects. By contrast, a privacy policy is an internal document that explains the organisation’s obligations and practices for meeting the GDPR’s requirements.

Although they cover many of the same topics, privacy notices aren’t to be confused with privacy policies.

 

 

Why you need a privacy notice?

Privacy policies can also help you win business, as they prove that you take information security seriously.

Privacy notices are a legal requirement under the GDPR and ensure that individuals are aware of the way their personal data is processed. However, they can also benefit organisations in several ways.

For one, privacy policies provide documented proof of your data processing activities. This helps you justify your processing if someone lodges a complaint with their supervisory authority.

Privacy policies can also help you win business, as they prove that you take information security seriously.

Writing your privacy notice

In general, privacy policies should be written in the active voice and avoid unnecessary legalese and technical terminology.

This is particularly important when you are processing children’s personal data, as there are many concepts that you’ll have to explain in more detail.

Your privacy policy must be written in clear and simple language that data subjects can easily understand.

Likewise, you should avoid qualifiers such as ‘may’, ‘might’, ‘some’ and ‘often’, as they are purposefully vague. Saying you ‘may’ do something doesn’t help the data subject work out under what circumstances it will happen.

Finally, the policy should be free of charge and easily accessible; don’t hide it in a link at the bottom of a form where few people are likely to see it.

You should instead provide the policy to them in writing or link to it when asking for their personal data.

When should you provide a GDPR privacy notice?

The GDPR explains that data controllers must provide a privacy notice whenever they obtain data subjects’ personal information. The easiest way to provide a privacy notice is to post it on your website and link to it whenever appropriate.

If you don’t have a website, you should make a physical copy of your privacy policy available.

The only times this isn’t necessary are when:

  • The data subject already has the information provided in the privacy notice;
  • It would be impossible or involve a disproportionate effort to provide such information;
  • The organisation is legally obliged to obtain the information; or
  • The personal data must remain confidential, subject to an obligation of professional secrecy.

When an organisation obtains personal information from a third party, it must provide a privacy notice within a month. This should be done the first time the organisation communicates with the data subject or when the personal data is first shared with another recipient.

 

 


Leave a Reply

×

Hello!

Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you