Your organisation’s Privacy Notice is more than just part of your website, it is the public aspect of your data protection compliance. Learn more about this vital document here.
In earlier pieces we have looked at the rights of those whose personal data you hold to be informed about how their data is collected and used. The best way to do this is to have it written down in a document called a privacy notice.
There are however some basic misunderstandings of what a privacy notice is and its purpose.
Most people first encounter a privacy notice as part of their website and can wrongly assume that it is part of the website development process rather than one of the documents required for UK GDPR compliance.
Using a standard form privacy notice as part of development work on your website may well not be comprehensive enough to cover all your data processing activities. It is very unlikely that the only place that data enters your business is via the website. It may be an important part but, if you receive information or orders from other sources, telephone, email, or social media then the privacy notice needs to reflect all aspects of your data collection and processing activities.
While many of the documents required for UK GDPR compliance are only for internal use, a privacy notice is specifically intended to inform customers and others about your use of their personal data.
A privacy notice should identify your organisation with name, address, email address and telephone number for the business and personal contact details of the appointed Data Protection Officer. The types of data collected and held should be specifically described, just saying “financial details” is not adequate, you will need to state if this is credit card or bank account details.
Under the UK GDPR regulations, organisations can only process personal data if there is a “lawful basis” for doing so and your privacy notice should specify which one of the six lawful bases you are relying on for each processing purpose. We will examine lawful bases in more detail in another blog shortly.
How you process and protect personal data also needs to be covered. This is particularly important if a third-party processor or storage is based outside the UK or EU. You can only retain personal data for as long as the legal basis for processing is applicable according to the UK GDPR and you must state this period in the privacy notice. Lastly the privacy notice should list and explain the rights of the “data subjects” that is the individuals whose personal data is under consideration.
Once you understand the purpose of a privacy notice, and that it needs to be publicly available wherever you source personal data, then the need for adequate support in its creation becomes clear.
CSRB will help you manage and protect data responsibly while taking the jargon out of the process. Contact us here or call 0117 325 0830 to learn more about how we can bring clarity to your data management processes.