When clients first ask us to advise on their data protection and privacy matters , we usually kick things off by asking to see their current privacy notice . That’s the document that explains to individuals how the business collects, uses and protects their personal data… or it should do. Instead, digging out the privacy notice can sometimes be a bit like opening your child’s lunch box after the school holidays!
All organisations need to spring-clean their privacy notice every now and then. Remember the frantic days leading up to 25 May 2018, when the General Data Protection Regulation (GDPR) came in? Or perhaps you’ve launched a new venture or project more recently. Has there been little time or patience for data protection compliance in your organisation? Many end up taking shortcuts under this kind of pressure, opting for ‘good enough’ – or just leaving data protection policies and procedures untouched. Your privacy notice should evolve alongside your business – it should be a living, breathing document.
It’s nearly six years since the GDPR became part of our lives – that’s a long time. There have been some changes to the law, and a steady flow of guidance, case law and fines. Plus, we’re willing to bet that your business has changed quite a lot in that time too. Is it time to give your privacy notice a spring-clean?
Well, the Information Commissioner’s Office (ICO) is certainly on board. As we were preparing this piece, it issued its own nifty tool aimed at making it easier for small and medium-sized enterprises (SMEs) and charities creating their own privacy notices . The tool enables organisations to create two distinct privacy notices: a customer-facing one to explain how they use data as part of their general services, and a separate one for staff to explain how they use staff data.
We’ve had a play with it, and it’s definitely a decent starting point. However, there are several places where it could be better, and it still leaves the organisation with a lot of additional work to do – they say 15 minutes, but we’re sceptical that anyone could do an acceptable job in that time. Rest assured that we’ll be feeding that back to the ICO as part of its consultation on the tool. But, if you don’t have a privacy notice at all, you might find it a starter for 10.
In the meantime, here are some key areas to consider when reviewing your (perhaps rather dusty) privacy notice. If you need help, or would rather ask someone else to open and clean out the lunchbox, give us a shout !
- Brexit means that you might now be transferring data outside the EEA or EU.
The UK waved goodbye to the European Economic Area (EEA) and the EU when it left on 31 January 2020. Since then, we’ve seen countless privacy notices – and contracts , for that matter – earnestly promising not to transfer personal data outside the EEA or the EU. With the UK now outside both of them, that’s not the best look. Worse still, are you making a promise to your customers that you have technically been in breach of for a while now? - Do you use the data for different purposes?
In general, the GDPR prohibits the use of personal data for new purposes if these are unrelated to the purpose for which the data was originally collected. Most businesses change over time and, given the value of personal data these days, your business may well be using that data for new and exciting purposes. Your privacy notice must make this clear. If the purposes are brand-new, you might need to identify a legal basis to use the data in that new way. One to ponder from a risk perspective. - Do you use different suppliers now?
If your privacy notice sets out who you use to support your services, what for and where they are based, chances are that some or all of them will have changed by now. You may need to be transparent about who those new suppliers are.
Those changes, or changes within the relevant countries, might also mean that you need to deal with different international data transfer requirements . We’re talking about those now in place for UK–EU transfers, and UK–USA transfers under the newish Data Privacy Framework. There’s also the ICO’s International Data Transfer Agreement/Addendum, which replaced the EU standard contractual causes (SCCs). - Do you use AI now?
Did artificial intelligence (AI) even exist in 2018? Barely, from a business perspective. Now, it’s probably bolted onto your day-to-day software, and more and more AI systems are being deployed daily. If your shiny new AI systems use personal data from your customers or others, allow you to make decisions about individuals or create personal data about them, your privacy notice should reflect that. - Are you really relying on consent?
There’s a lot to consider here: have you kept records to support valid consent? Can you still rely on consent? Is consent really the right way to go for your business? Have you considered whether you need to ask for consent for direct marketing ? Could you possibly rely on the soft opt-in under the Privacy and Electronic Communications Regulations (PECR)? - Do you collect data from other sources now?
Many businesses roll out a template, and then forget to check whether it reflects how they actually do business. For example, they might only talk about collecting information from their website when, in reality, they collect data by phone, in person, from the internet, via social media , from
other group companies, from other third-party lead generation services or from clever profiling tools. - Are your technical measures out of date?
Six years is a lifetime in the world of IT security. Many businesses choose to give vague statements about how they will protect personal data. This is far from ideal. Instead, there’s a balance to be struck: avoiding the vague statements that we often see while not being so specific that your details are out of date the moment you publish your freshly polished privacy notice.
These are just a few areas that might need a tidy-up to improve your external-facing privacy compliance. But don’t forget your internal policies and procedures too! Did you promise to get a retention policy in place, or set up a rigorous personal data breach response plan? And what about data subject access requests (DSARs) – was working out how best to handle them on a long-forgotten to-do list? Are your contracts and international transfers sorted – between you and your suppliers or between your group companies? Why not dust all those off too?
Let’s not wait for another data protection revolution to give our privacy notices a glow-up. Get in touch with us, and we’ll help to sort you out with a privacy notice that’s up to date, compliant and builds trust that you have data protection under control.