Further GDPR and Data Protection Act 2018 Improvements

August 2018

The “May Madness” of GDPR Privacy Policy updates may have subsided now, but that doesn’t mean your business should be standing still when it comes to data protection compliance. Following our initial round of privacy policy updates earlier this year, we have now updated our website privacy policies and “offline” privacy notice again, building on best practice that has become established since 25 May.

Keeping Data Subjects Even More Informed!

One of the key requirements of UK data protection legislation, now comprising both the GDPR and the Data Protection Act 2018, is the so-called “fair processing notice”. In more common terms, this is your privacy policy or privacy notice.

We have now made it easier for you to provide clear and precise details in a number of areas:

The section on data subjects’ rights now includes a specific reference to the right to withdraw consent. This will not always apply as your chosen lawful basis for data processing (see below) may not be ‘consent’. Furthermore, the right to withdraw consent is not listed alongside the other rights included in this section in the GDPR. Nevertheless, we consider this to be an important update that leaves no doubt about the full panoply of rights available to data subjects while also making it clear that it only applies in certain circumstances.

Second is the section headed “What Data Do You Collect and How?” which now takes the form of a table listing the data collected on one side and the method of collection and/or source on the other. Where data comes from a third party, your privacy information should specify the type of organisation and/or sector, and whether that source is private or public. It may also be helpful to indicate whether the source is inside or outside the EEA. Finally, while you do not have to name names, in the interests of transparency, it may also be desirable to provide specific details of each source.

Next comes the “How Do You Use My Personal Data?” section. This has again been enhanced with the addition of a table designed to be easy for you to fill in and for data subjects to understand. Across the table’s three columns, you should state what you do, what data you use to do it, and – most importantly – your lawful basis for doing so. Under UK data protection legislation, you must have a ‘lawful basis’ for using personal data. You may, for example, need to use the personal data in question to perform a contract with the data subject; you may have the data subjects’ express consent to use their personal data; or it may be in your ‘legitimate interests’ to use it. It is important that you choose your lawful basis carefully. Consent may seem like the easiest and safest option, but it can often be the least desirable choice and the hardest to rely on. ‘Legitimate interests’ is a broad and somewhat flexible basis, but if you choose to rely on it, you should state what your legitimate interest actually is in your privacy information.

A further important point to note where your use of personal data is concerned is the use of automated decision-making and profiling. Restrictions apply to such types of personal data processing, and data subject have certain rights with respect to them. These restrictions and rights, however, only apply where the decision resulting from such processing has ‘a legal or similarly significant effect’. In such cases, not only to the rights and restrictions apply, but you must also provide ‘meaningful information about the logic involved’ as well as the significance and envisaged consequences for the individuals concerned.

Another table has been added to the document under “How Long Will You Keep My Personal Data?” Again, this has been designed to make this document easier for you to use, and for data subjects to understand.

Under the heading of “Do You Share My Personal Data?” we have added – yes, you guessed it – another table. When sharing personal data with other parties, there are certain minimum details you should provide to data subjects such as the category of recipient, the activity or activities carried out using the personal data, and where that third party is located (i.e. inside or outside of the EEA). It is also desirable, where possible and practical (although not all third parties will be happy with their identity being shared for commercial reasons), to provide the name and contact details of third-party recipients. In addition, it is important to state whether the third party in question will be receiving data in the capacity of a data controller or a data processor, and to provide details of their business sector.

The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.

Top