Month: October 2017

Drafting GDPR compliant privacy policies is a real skill even with a complete data map in front of you.

Articles 12, 13 and 14 GDPR set out in detail the information that must be included in privacy notices.  In 2016 the ICO consulted on revised guidance for privacy notices and have updated their issued guidance to cover GDPR. They are reviewing this guidance again and hope to publish any further changes shortly. There is lots of talk of layered privacy notices and blended notices but what does this mean in practice for organisations that publish their privacy notices on their websites? Only that organisations are dependent on the functionality of their websites. If hyperlinks can be used within the privacy notice to allow readers to read the detail behind the summary then great. Otherwise, privacy notices will look and feel like online terms and conditions – lengthy, detailed, non-negotiable and very rarely read by those who use the product/website until something goes wrong.

How then can we make them interesting and readable? My view is to pretend you are a data subject reading the notice and think about what you are interested in when you are asked to provide your personal data. Here are my top 5 concerns without my data privacy hat on:

1.Is my data going to be safe?

With all the media headlines about data breaches, the genuine number one concern is does the organisation have sufficient data security measures in place and what are these?

2.Is my data going to be shared and if so with whom?

I am providing my personal data to organisation A for a reason. If there is a genuine need for it to be shared in order for that reason to be achieved/fulfilled then fine, otherwise I only want to give my personal data to those I choose to give it to. Please tell me who is going to have access to it and why.

3.How long is my data going to be kept for?

This really links into number 2. If I am buying something online and choose to check out as a guest, I only want my personal data to be kept for as long as necessary to complete my purchase and possibly deal with a return or complaint. If I am subscribing to a monthly newsletter then of course I expect my personal data to be kept for as long as my subscription is valid. The most important point here is the purpose for which you are providing your personal data.

4.Who do I contact and how if I have a concern?

Something has gone wrong – who do I contact and how. I want a name, an email address and a telephone number. I may not be confident emailing my concern so also want a postal address.

5. What are my rights when something has gone wrong or I have changed my mind?

Setting out clearly the data subjects’ rights listed in Chapter III GDPR is important but make them user-friendly. What does the right to erasure mean in layman’s terms? What is data portability and is this really relevant to the service/product you have provided your personal information to receive?

Everything else needs to be included too but make sure you structure your privacy notice carefully to capture attention, make reading it straight forward and lastly but as important to ensure it is GDPR compliant.

I am now living, eating and breathing GDPR on assignment and with other individual clients.

For lots of organisations GDPR compliance is real and genuinely being worked on. This means a complete review of data assets to create data map flows and understand what personal data they collect and process and in what capacity: data controller and/or data processor. This foundation work is the key to achieving and maintaining compliance and the only way organisations can understand their responsibilities.

Joint and several liability for data processing breaches as set out in Article 82(4) is a potential risk if organisations don’t understand their data controller responsibilities with respect to their processors (Article 28) and data processors don’t manage their sub processors properly (Article 28(4)).  The neatest way to achieve this is to determine each party’s role and draft GDPR compliant processing agreements.

However, equally important and something that needs to be worked on sooner rather than later is processor due diligence. Amending processor agreements to enshrine Article 28 may feel like enough to achieve compliance but without underlying due diligence being carried out well in advance of 25 May 2018, all that you may have created is a contract breach on 26 May 2018. Article 29(3)(h) requires processors to make available to the controller all information necessary to demonstrate compliance with the obligations set out in Article 28. This effectively gives controllers the right to audit their processors to ensure they feel that processor compliance is genuine and matches with the processor’s contractual obligations.

Privacy policy redrafts next month.