Under the DPA98, data always had to be processed lawfully and fairly. Under the GDPR this was uplifted to Lawfully, Fairly and Transparently.
This means that organisations have a legal obligation to be open and honest about what personal data they process, for what purpose, under what lawful basis, how long they keep it, who it's shared with, and a host of other things.
The right to be informed is covered by Art 12- 14 of the GDPR, and guidance has been provided by the A29WP via their Transparency guidelinesand summarised by the ICO here.
The way most organisations have attempted to fulfill these requirements is by placing a Privacy Notice (N.B. A Notice is external, a Policy is Internal) on their website. The privacy notice can't be buried 5 pages in, it needs to be clearly displayed on the website – most people tend to place the link in the footer of each page.
Unfortunately, many organisations have used boiler plate templates that neither reflect the actual processing that their organisation does, nor is actually understood by the organisation themselves. This second one risks the organisation being non-compliant to Art 5.2 – Accountability if there are complaints or queries about the content. (e.g. Hall and Hanley)
A privacy notice needs to properly represent the actual processing performed by your organisation and not an imaginary organisation that does something similar. The paperwork must match the reality.
This is why there are no templates provided by regulatory bodies such as the ICO, or good consultants. The best an organisation could hope to get from a template is a series of headings. A chiropractic clinic will process very different information from an engineering company; Netflix will process way more profiling data than, for example, a logistics and delivery company. This means that there is no 'one size fits all' template – because it would be meaningless. If you do belong to a professional body, it's possible they will have a semi-suitable template because all members of the body do similar things. However, you will still need to adapt the policy to your individual circumstances and understand what it says if you are to be accountable.
The ONLY purpose of a Privacy notice is to serve. It never forms part of the T&Cs of service and is never agreed to, consented to, accepted by check-box or otherwise. If you read a Privacy Notice that says this, run for the hills and get them to take advice from someone who knows what they're doing.
It's also worth saying that a privacy notice is an output of a lot of other foundation work, and this often overlooked. Art 30 Records of Processing Activity is a must have for any organisation. If you don't have your data mapped out with your lawful bases, how can you possibly describe what you do and why, to the people served by the privacy notice? It would be a bit like trying to build a house without foundations, and would result in the same ending.
I've heard it said by one organisation that they don't need a privacy notice because they are a business to business organisation.
Wrong – Transparency is a legal requirement whenever you are processing personal data. An email that is ‘name.surname@organisation’ is still personal data. An email that is ‘info@organisation’ could also easily be personal data if there is only one director in a Limited Company. If there is any way at all of identifying individuals, either from the data itself, or in combination with other data, it is personal data, and you need to be transparent about how it's handled.
There is a lot more that could be said about privacy notices, and I could provide some humdinging examples of how to do it badly, as well as some pretty good ones too, but this isn't the place for that.
Check out the links at the start of the article for ICO checklists, and links the GDPR, and if you feel like you need specific advice, get in contact with me at firstname.lastname@example.org and I will be happy to discuss requirements.
Garden City Assurance Ltd
Registered Company 12123178
ICO DC Registration ZA540727