GDPR (the General Data Protection Regulations) will come into force in the UK on 25th May 2018. The new legislation will significantly increase the regulation, and policing of data security and data processing. As a result, the GDPR and privacy policies are currently hot topics.
The GDPR Regulations give significantly more rights to the owner of the data (the ‘data subject’). There are also significantly greater fines and penalties for businesses collecting and using an individual’s data.
As a result, it will be necessary for all businesses that have an online presence to update their existing websites’ privacy policies to cover the GDPR.
To Whom Do the Changes Apply?
In many instances this will be an individual’s name and email address. If you are just obtaining a business email address which does not include an individual’s name, then that does not count as personal information.
Bear in mind that, if your website focuses on business-to-business, some small business owners still use their personal email address, which will count as personal data if they can be identified from it, i.e. if it includes their name. (This is a significant change from the rules under the Data Protection Act 1998, when such a business email address would not have been classed as personal data.)
For those who prefer to do make the changes themselves, we set out below the key changes that need to be made to websites’ privacy policies to make sure that come May 2018 they are up-to-date.
The GDPR and Privacy Policies
All privacy notices that a business issues will have to be ‘transparent, concise and easily legible’, as well as being written in clear, plain English. No room for legal jargon!
Increased Provision of Information
As well as providing additional rights to the data subject, a key aspect of the GDPR is the provision of information to the data subject. GDPR sets out very specific requirements for what information you must provide to data subjects in the privacy notice. These include:
1. The identity of the data controller
This will be you as the party that collects the data subject’s information. An individual has a right to know the identity of the legal entity that is collecting their data.
2. What choices the data subject has
The principle of ‘fair processing’ under GDPR requires that individuals must have control of their personal data. You must:
- give individuals the option to request the deletion of their personal data; and
- tell them how they can do that.
3. What information you are collecting
You will need to be very specific about what data you collect from the data subject. Most frequently, this will be their name, address and email, as you, as the business, need this to fulfil the purpose for which the data subject provided their information to you.
4. How long you will keep the personal data
5. Why you are collecting the information
It is now necessary for you to set out exactly why you are collecting the personal information from the data subject. This may be to provide them with the download/ guide or service that they have requested. Be specific. As the ICO states, you should map out your data processing functions and then list the specific purposes for which the information provided will be used.
6. How long will the data be used and kept for
The new requirements state that an individual must now be notified as to how long their data will be kept. The time period must be reasonable and directly related to the purpose for which you collected the data. This may be very different, depending why you collected the data.
7. Who will you share the information with
As the party that collects the data (the ‘Data Controller’) you will be intending to do something with that data. In many instances you will need to pass that data to a third party to carry out the function. That party is a ‘Data Processor’. It is your responsibility to tell the data subject who will be processing data on your behalf. It may also be the case that you will process the data internally. If so, you need to state that too.
8. Transfer of personal data outside of the EEA
You must notify the individual if you might transfer their data outside of the European Economic Area (EEA). There is the assumption that countries, that themselves are not bound by GDPR, may offer weaker protections.
Accordingly, an individual must be notified if this will be the case. Then they have the choice as to whether they wish to provide the data and so consent to this.
Many businesses will transfer the data that they collect to a third party to process that data. For example, this happens when passing data to a payment processing company. Also it occurs when a company does marketing for your business.
More and more businesses use cloud storage services. Often they will store their customer data with a company based outside of the EEA.
Data Subjects’ Rights – to go in GDPR-Compliant Privacy Policies
Under GDPR, privacy policies must tell the data subjects what rights they have. These rights extend to:
- The right to request that you delete, correct or bring their data up-to-date;
- Request that you transfer their data to another party (this is part of the data portability requirement);
- That they have the right to complain to a supervisory body and who that body is.