What information does a privacy notice need to contain?

Under the UK’s Data Protection Act 2018 (UK GDPR), privacy notices need to contain a lot more information than they used to because the UK GDPR is very prescriptive about what information needs to be given to individuals.

Under the UK GDPR, personal data must be ‘processed lawfully, fairly and in a transparent manner in relation to the [individual]’. The inclusion of ‘in a transparent manner’ are extensive under the UK GDPR.

The transparency requirements are set out over 6 pages and require controllers to provide individuals with extensive information about how their personal data is collected, stored and used. Furthermore, this information must be provided to individuals in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’ (in particular where the individual is a child). In practice, this means that controllers will need to include more information in their privacy notices, as well as retaining more detailed records of their data processing activities in relation to individuals.

To comply with the UK GDPR, privacy notices need to include:

  • the identity and contact details of the controller (e.g., phone, email, postal address etc)
  • the contact details of the controller’s nominated data protection officer, where applicable
  • how the controller will use and store the personal data as well as the legal basis for the collection, use and storage thereof (including in relation to special categories of personal data and criminal convictions and offences)
  • where legitimate interests is the legal basis for processing, the legitimate interests pursued by the controller or a third party (this must include the specific legitimate interest(s) being relied upon and where they can obtain a copy of the legitimate interest balancing test if such information is not already included in the privacy notice)
  • whether the personal data will be disclosed to/shared with any third parties (identifying the recipients or categories of recipients – if you choose to only name the categories of recipients this must indicate the type of recipient, the industry, sector and sub-sector and the recipients’ location)
  • whether the personal data will be transferred to a third country or international organisation outside the UK including how the personal data will be safeguarded and the means by which the individual can obtain a copy of those safeguards (the relevant UK GDPR article permitting the transfer and the corresponding adequacy mechanism should be specified, and detail on third country transfers must be as meaningful as possible which will generally mean that third countries be named)
  • details as to how long personal data will be stored, or if that is not possible, the criteria used to determine the retention period (it isn’t sufficient to generically state data will be kept as long as necessary for the legitimate purpose)
  • details of how the individual can obtain a copy of information held about them and details of all the other rights they have under the UK GDPR (this must include any national implementing legislation which qualifies or restricts the individuals’ rights and which the controller may rely on)
  • where processing is based on consent the right for the individual to withdraw their consent at any time
  • details of the individual’s right to lodge a complaint with a supervisory authority
  • details of whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal data and of the possible consequences of failure to provide such personal data and
  • the existence of automated decision-making, including profiling and, if applicable, meaningful information about the logic used and the significance and envisaged consequences of such processing for the individual.

Fines

Fines under the UK GDPR are substantially higher than under the old data protection regime. Breach of the rules around information to be given to individuals in privacy notices are subject to fines of up to the greater of £17.5m (€20m) or 4% of the controller’s global turnover in the previous 12 months.

What do businesses need to do?

Businesses should:

  1. Review their privacy policies to ensure that they comply with the information requirements under the UK GDPR. This should be done on a regular basis to ensure the content of the privacy notice is correct and up-to-date at all times.
  2. Follow the ICO’s guidance: read guidance
  3. Provide regular reminders to individuals of the privacy notice and where it can be found.

It isn’t insufficient to state in the privacy notice that individuals should regularly check for updates to the notice. The onus is on the controller to inform individuals of changes, and in a way that takes all measures necessary to bring the specific changes to the individual’s attention (which should be separate from any direct marketing content).

If you would like any further information or advice on what your privacy notice should contain, or the UK GDPR generally, please contact us.

Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.