top of page

GDPR Guidelines - Privacy Statements

 

The Right to be Informed – a great opportunity

The GDPR places an emphasis on transparency when processing personal data.  Individuals have the right to be informed about how you collect and use their personal data.

This is an opportunity for organisations to build trust and good will. 

This is an opportunity to re-enforce your brand values through the privacy messages you use.

 

When must you inform people?

You must provide privacy information to individuals at the time you collect their personal data from them. 

If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

How must you inform them?

The GDPR says that the information you provide to people about how you process their personal data must be:

  • Concise, transparent, intelligible and easily accessible;

  • Written in clear and plain language, particularly if addressed to a child; and

  • Free of charge.

 

Here is your opportunity to reassure people that you will take care of their data.  It is an opportunity to re-write your privacy statements in your unique 'tone of voice’ speaking directly to your most valued customers or supporters in a way they will understand.

 

The ICO recommend a multi-layered approach to be most effective.  Use different techniques at various points in the individual’s initial engagement with you when you collect their data. 

 

This could be done through:

  • Simple, relevant statements on forms and web pages where you the collect data;

  • Use of privacy icons to highlight privacy to individuals

  • Ensuring mobile technology adequately displays privacy information;

  • Reinforcement within follow up correspondence;

  • Links to further details in your full privacy statement online (made available in paper copy if necessary).

  • Reference to privacy and individual’s rights and who to contact on your contact pages

 

What must be included?

  • Purpose of the processing and the legal basis for the processing

  • The legitimate interests of the controller or third party, where applicable

  • Categories of personal data

  • Details of transfers to third country and safeguards

  • Retention period or criteria used to determine the retention period

  • The existence of each of data subject’s rights

  • The right to withdraw consent at any time, where relevant

  • The right to lodge a complaint with a supervisory authority

  • The source the personal data originates from and whether it came from publicly accessible sources

 

Example Privacy Statements

I have come across many ways organisations communicate their privacy notices to individuals and have compiled some good examples here: 

 

ICO Examples of good and bad:  https://ico.org.uk/media/for-organisations/documents/1625136/good-and-bad-examples-of-privacy-notices.pdf

The list is updated regularly, feel free to share any new or novel approaches with me so I can add them to the list.

 

References

ICO guidelines for Individuals rights:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

ICO Code:

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

ICO Privacy Notice Checklist:

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/your-privacy-notice-checklist/

bottom of page