GDPR: Privacy policies

Privacy policies aren’t new, all of us will (or should!) have a privacy policy on our website telling people what we’re doing with their personal information.

However, under the GDPR, one privacy policy isn’t going to be enough.

In order that people understand what happens when they hand over their personal information privacy notices have to appear ‘just in time’, that is, at the point the person is handing over information.  And in keeping with the overall principles of the GDPR, notices should be honest and transparent.

If you’ve done a data map of what information you’re holding and where it’s come from you’ll be able to identify where those points are – and therefore where you need to add a privacy notice.

At VONNE we’re starting with our online communications.  People give us their personal information in a number of ways, for example:

For each of those examples we need to write a short privacy notice ‘just in time’ and link to our full privacy notice.  This ensures that anyone who hands over their information knows exactly what will happen to it.

What should a privacy notice look like?

A good privacy notice should be written clearly, using plain English and avoiding technical language or jargon. 

Think about who is going to read it. If you’re talking to children, vulnerable individuals, or people whose first language isn’t English, you might need to break your notice down to make it easier to understand.

There are a number of things which have to be included in the privacy notice including:

  • what lawful basis you are using to process the data;
  • what you will be using the data for; and
  • the right of the individual to access their data.

The ICO website has a good checklist for things that you need to include.

We’ve made a start by updating the privacy notice for people signing up for our e-bulletins, which also links to our more detailed privacy policy (which in turn will form part of our eventual GDPR policy).

This will be reviewed and updated in the run up to May, other privacy notices will be added to our website and in our offline communications, and our more detailed privacy policy will be expanded to include our data retention policy and a full explanation of our lawful basis for processing.

Next time: Data retention and lawful basis.