GDPR Compliant Privacy Notice

One of the most frequent questions we get asked is how to draft a GDPR compliant privacy notice!

The ICO has some excellent existing guidance on privacy notices and are updating their information all the time to ensure that firms of all sizes meet the GDPR requirements. Whilst there is no ‘one-size-fits-all’ template for a compliant privacy notice, GDPR Article’s 13 & 14 provide the requirements to be included.

GDPR Compliant Privacy Notice Headings

From the information disclosure Articles in the GDPR, you can get a good understanding of what headings and descriptive content makes up a privacy notice. Headings can include areas such as: –

  • Who We Are – a summary of your organisation, trading and registered office details, company number (if applicable) and who your DPO/Lead is (your identity & contact details plus those of any rep)
  • Information We Collect – what personal information do you obtain/process; reasons for processing and in what ways do you obtain personal data (i.e. via orders, contact forms, employees etc)
  • How We Use Your Personal Data – the legal basis for processing, what you intend to do with the data and when you will/won’t process it (i.e. will never disclose, share or sell your data without your consent, unless required to do so by law). It makes for a clear notice if you bullet point the ways you use data and the basis you are relying on:

Example: The purposes and reasons for processing your personal data are detailed below: –
We collect your personal data in the performance of a contract, to provide a service to you and to ensure that orders are completed and can be sent out to your preferred address

We collect and store your personal data as part of our legal obligation for business accounting and tax purposes

  • Data Subject’s Rights – detail the rights an individual has such as accessing personal information, having inaccurate data corrected, data portability, objecting to, or restricting processing etc
  • Sharing and Disclosing Your Personal Information – who do you share personal data with and why? What safeguarding measures do you/they have in place? It is good practice to add a link to the recipients privacy policy/notice

Example:
ABC Accounting Ltd
123 The Street, Town, AA1 1AA
01234 567890
We use ABC Accounting Ltd to do our book-keeping and tax returns and they act in the capacity of a processor on our behalf. The only information we provide them with is your name, address and order details to meet business and legal requirements.
For more information about ABC Accounting Ltd, please read their Privacy Notice at www.abcaccount.com/privacy-policy

  • Transfers Outside the EU – if you send/store any personal data outside the EU; name the recipients, state the reason it is sent/stored, what safeguarding measures do you rely on? (i.e. Adequacy Decision, Binding Corporate Rules, Measures & Controls etc)
  • Safeguarding Measures – what technical and organisational measures have you put into place to secure processing and personal data and reduce the risk posed to individuals? (i.e. SSL, TLS, encryptions, pseudonymisation, restriction, IT, authentication etc)
  • Consequences of Not Providing Your Data (if applicable) – required if relying on statutory or contractual requirement legal basis
  • Legitimate Interests (if applicable) – if you are relying on legitimate interests for processing, state what those interests are
  • How Long We Keep Your Data – retention periods or the criteria used to determine those periods
  • Marketing – if you send/intend to send marketing to individuals, this needs to be stated and the legal basis (consent or legitimate interests) along with appropriate and compliant opt-in mechanisms & right to opt-out
  • Lodging A Complaint – add contact details of the Supervisory Authority and state an individuals’ right to lodge a complaint with them
  • Automated Decision Making (if applicable) – note the existence of automated decision-making, including the logic involved & any consequences of such processing
  • Source (if applicable) – state the original source of the personal data and if that source was publicly accessible
  • Consent – if your collection of personal information relies on consent, ensure that you obtain that consent, it is an affirmative, clear action and notes the existence of the right to withdraw consent

The above is not an exhaustive list and headings/content will differ from company to company. If you require a template Privacy Notice (Privacy Policy), our 8-page GDPR Compliant Privacy Notice, which is included in our GDPR policy pack, bundle and GDPR Documentation Toolkit – compare GDPR Bundles.