All privacy notices that a business issues will have to be ‘transparent, concise and easily legible’, as well as being written in clear, plain English. No room for legal jargon!
Increased Provision of Information
As well as providing additional rights to the data subject, a key aspect of the GDPR is the provision of information to the data subject. GDPR sets out very specific requirements for what information must now be provided to data subjects in the privacy notice. These include:
1. The identity of the data controller
This will be you as the party that collects the data subject’s information. An individual has a right to know the identity of the legal entity that is collecting their data.
2. What choices the data subject has
The principle of ‘fair processing’ under GDPR requires that individuals must have control of their personal data. This requires that individuals are (1) given the option to request the deletion of their personal data and (2) told how they can do that.
3. What information is being collected
It will be necessary to be very specific in the description as to what data is collected from the data subject. Most frequently, this will be their name, address and email that are required for you, as the business, to fulfil the purpose for which the data subject provided their information to you.
4. How long the personal data is kept
5. Why the information is being collected
It is now necessary for you to set out exactly why you are collecting the personal information from the data subject. This may be to provide them with the download/ guide or service that they have requested. Be specific. As the ICO states, you should map out your data processing functions and then list the specific purposes for which the information provided will be used.
6. How long will the data be used and kept for
The new requirements state that an individual must now be notified as to how long their data will be kept. The time period must be ‘reasonable and directly related to the purpose for which the data was collected. This may be very different, depending on the purpose for which the data was collected.
7. Who will you share the information with
As the party that collects the data (the ‘Data Controller’) you will be intending to do something with that data. In many instances it will be necessary for you to pass that data to a third party to carry out the function. That party is known as the ‘Data Processor’ and it is your responsibility to tell the data subject who will be processing data on your behalf. It may also be the case that you will process the data internally, in which case you need to state that too.
8. Transfer of personal data outside of the EEA
The individual must be notified if their data will be transferred outside of the European Economic Area (EEA). There is the assumption that countries, that themselves are not bound by GDPR, may offer weaker data protection rights and regulation.
Accordingly, an individual must be notified if this will be the case, so that they have the choice as to whether they wish to provide the data and so consent to this.
Many businesses will transfer the data that they collect to a third party to process that data, for example, when passing data to a payment processing company, or to a company that does marketing for your business.
More and more businesses that use cloud storage services will store their customer data with a company based outside of the EEA.
The Rights The Data Subject Has
The right to request that their data is deleted, corrected/brought up to date;
Request that their data is transferred to another party (this is part of the data portability requirement);
That they have the right to complain to a supervisory body and who that body is.