Virtually every business processes personal data. By ‘processing’ we mean basically anything you do with information that can identify an individual, whether that is collecting names, contact details etc. on a website contact form, entering contact details into Outlook, forwarding an individual’s details to a third party by email etc. etc.
The GDPR defines Processing as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
At the time of collecting personal data (or as soon as feasible afterwards) organisations are required to provide certain information to the individuals (data subjects). This is often done by way of a Privacy Notice. A Privacy Notice is an external document generally for public consumption, and this is not to be confused with a Data Protection Policy, which is an internal document aimed at employees and other stakeholders. Both are important documents which help demonstrate compliance with the legislation. Your Privacy Notice should be written in clear, plain language that is easily understood, and if possible should not be too lengthy.
It’s important to include in your privacy notice all of the following:
The name and contact details of our organisation.
The name and contact details of our representative (if applicable).
The contact details of our data protection officer (if applicable).
The purposes of the processing.
The lawful basis for the processing.
The legitimate interests for the processing (if applicable).
The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
The recipients or categories of recipients of the personal data.
The details of transfers of the personal data to any third countries or international organisations (if applicable).
The retention periods for the personal data.
The rights available to individuals in respect of the processing.
The right to withdraw consent (if applicable).
The right to lodge a complaint with a supervisory authority.
The source of the personal data (if the personal data is not obtained from the individual it relates to).
The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
The details of the existence of automated decision-making, including profiling (if applicable).
You may have a variety of Data Subjects whose information you hold, such as customers/clients, employees and job applicants, suppliers etc. In these circumstances it’s a good idea to consider producing a ‘layered’ Privacy Notice which will direct individuals to the specific information relevant to them.
There are other mandatory documents that organisations are required to have in place in order to be compliant with the UK GDPR. We can provide you with all required documentation, tailored to your business. Please get in touch for more details.
Nick Richards CIPP/E CIPM