Posts Tagged ‘gdpr’
|
Newer Entries »
Article 13 of the UK GDPR states that at the time you collect personal data from individuals you must provide them with certain information. The usual way of providing this information is via a privacy notice (also called a ‘privacy policy’ or, in GDPR-speak, a ‘fair processing notice’), which is made available to the individual when their personal data is collected, often via a website link like this one. The privacy notice must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).
Where you are not collecting the personal data directly from the individual, Article 14 requires you to provide the individual with the same information as under Article 13 “within a reasonable period after obtaining the personal data, but at the latest within one month”.
Information audit
The first step is to carry out an information audit (also called a ‘data mapping exercise’) so that you understand:
- What personal data your organisation collects, including from customers, suppliers, employees, visitors, job applicants etc.
- How the personal data is collected.
- Where the personal data is stored, and what technical and organisational measures are in place to ensure security.
- What your organisation does with the personal data.
- Whom the personal data is shared with, including data storage and SaaS providers.
- Whether the personal data is transferred to locations outside the UK, and if so where.
- Whether the personal data includes any ‘special category data’, and if so whether any additional safeguards have been put in place.
- How long the personal data is kept.
Privacy notice
The next step is then to create the privacy notice by documenting the output of your information audit. The format and content of an organisation’s privacy notice will of course vary from organisation to organisation, but for many businesses the following list should be a useful start:
- Name of and contact details for the organisation(s) collecting the personal data, i.e. the identity of the controller providing the privacy notice.
- The types of personal data the controller collects, and how the personal data is collected.
- Whether any of the personal data constitutes special category data.
- What the controller intends to do with the personal data.
- The lawful basis for processing the personal data.
- Whom the controller shares the personal data with, and why.
- Whether the controller transfers any personal data outside the UK, and if so details of the relevant transfer mechanism.
- How long the controller keeps the personal data.
- How the controller keeps the personal data secure.
- If the individual is required by law or by contract to provide the personal data, consequences of not providing it.
- Whether the controller uses automated decision-making, including profiling, and if so details of logic involved and consequences of processing for the individual.
- What rights the individual has in relation to their personal data.
Final thoughts…
- When drafting a privacy notice, it’s tempting to take a broad, catch-all approach – “we will or may use your information for some or all of the following purposes…”, followed by a long list covering pretty much everything you can think of. Although strictly speaking accurate, the broad brush approach is likely to struggle to satisfy the “concise, transparent, intelligible” requirement. Put yourself in the data subject’s shoes: having read the privacy notice, would you understand how your personal information will in fact be used, stored, shared, etc?
- Because of the amount of information that you may need (or want) to include, consider adopting a ‘layered’ approach for the privacy notice. This is where you have a high-level, top-layer notice with the key privacy information, with links enabling the data subject to click through a second layer with a bit more detail, and then from the second layer there may be further links to a third layer with the full detail. This layered approach may be particularly useful for mobile or smart devices with small screens.
- There is no requirement for all the privacy notice content to be provided to the data subject in one go, and it may make sense for you to provide the data subject with privacy information at the time that they are actually providing you with their personal data – so-called ‘just-in-time’ notices.
- As your organisation evolves through the use of new technologies and/or you offer of new products and services, it’s likely that personal data will be collected and used in different ways. Put in place a process which ensures that your privacy notice is updated in line with these changes, and then for the updated notice to be communicated to your data subjects.
Tags: data protection, gdpr, information audit, layered privacy notice, privacy notice, privacy policy
Posted in Privacy, Updates | No Comments »
Ok, let’s start with the basics. What is ‘special category data’?
Article 9 of the GDPR (as incorporated into UK law, and amended) (“UK GDPR”) defines special category data as:
- Personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership.
- Data concerning:
- health
- a person’s sex life
- a person’s sexual orientation.
- Genetic data.
- Biometric data (where used for identification purposes).
In short, special category data is personal data that needs more protection because it is sensitive.
And what does ‘more protection’ mean?
It means that, in addition to ensuring that the processing is generally lawful, fair and transparent, and that it complies with all the other principles and requirements of the UK GDPR, you must comply with the following requirements:
- Prior to processing any special category data, you must not only identify and document a lawful basis under Article 6 (as required for all processing of personal data), but you must also satisfy at least one of the conditions for processing special category data listed in Article 9.
- Of the 10 conditions for processing special category data in Article 9, five require you to meet additional conditions and safeguards set out in Schedule 1 of the Data Protection Act 2018 (“Schedule 1 conditions”). For some Schedule 1 conditions you also need to put in place an ‘appropriate policy document’. The ICO has provided an appropriate policy document template.
- In practice, you may need to use the explicit consent condition for the special category data processing (Article 9(2)(a)). If so, then bear in mind that the individual’s consent must be:
- freely given
- specific, i.e. it must specify the nature of the special category data, and be separate from any other consents
- affirmative, i.e. opt-in
- unambiguous
- capable of being withdrawn at any time.
- Article 35 requires you to do a Data Protection Impact Assessment (DPIA) for any type of processing that “is likely to result in a high risk to the rights and freedoms of natural persons”. This is more likely to be the case when processing special category data.
- Article 30 requires controllers to maintain a record of processing activities. The exemption from this obligation for organisations employing fewer than 250 persons (Article 30(5)) does not apply where the processing includes special categories of data.
- Update your privacy notice with specific information about your processing of special category data.
Tags: Article 9 conditions, dpa 2018, gdpr, lawful basis, lexoo, sensitive data, special category data, UK gdpr
Posted in Privacy, Updates | No Comments »
23/07/20 – If you, as a ‘data exporter’, want to transfer personal data to a country outside the EEA (and which is not one of the 12 countries that have been granted an adequacy decision by the European Commission), then you need to use one of the GDPR-approved ‘transfer mechanisms’. (more…)
Tags: data protection, essentially equivalent, FISA, gdpr, privacy shield, SCCs, tia, transfer impact assessment
Posted in Privacy, Updates | No Comments »
« Previous Page