GDPR and Privacy Policies: Get ready for Change

GDPR data privacy

There’s new EU legislation on the horizon that will affect every online business in the UK. In fact, it will affect any online business that trades with EU citizens wherever they are in the world. This legislation is the EU General Data Protection Regulations (GDPR).

While that all sounds rather scary, there’s no need to panic because:

  • you’ve got over a year to prepare – the GDPR does not come into effect until May 2018
  • the new legislation builds on existing data protection rights and responsibilities – if you’re complying with existing data protection laws then you’re already heading in the right direction.

Large organisations and those who process sensitive data may have to make significant changes in order to fully comply.  Small businesses with a modest online presence will be affected to a lesser extent, but it can’t be ignored.  Now is a good time to start thinking about what changes you will need to make to comply.

This article looks at what the GDPR is all about and gives an overview of how website privacy policies will be affected.  If you need further details of the GDPR and current ICO guidance, please visit the ICO website.

What is the GDPR?

The GDPR is an EU regulation that has been talked about, debated and amended in the EU Parliament since 2012.  It was finally passed in December 2016 and will come into force in all EU member states in May 2018.  It represents a complete overhaul of EU data protection legislation and replaces the current EU Data Protection Directive (95/46/EC).

This is an EU regulation (rather than a directive) and so will become part of our nation law as soon as it comes into force.  The government has already said the GDPR will commence in May 2018 regardless of where we are with Brexit.

GDPR Overview

The GDPR is a bit of a monster at over 200 pages of text.  It sets out a wide range of roles, rights and responsibilities to protect personal data collected, held and processed on EU citizens.  It goes beyond existing data protection laws to encompass cloud services.  The definition of personal data is wider and can include things such as IP addresses. It introduces stronger penalties for non-compliance and greater rights for data subjects.

Even though the legislation has been finalised, how it will apply in practice is not 100% clear in many areas.  The ICO is developing and issuing guidance over the coming months which will help businesses prepare and comply.

For now, we’ll start of by looking at the impact on website privacy policies.

Privacy policies

The amount of information you have to include in your privacy policy has increased under the GDPR.   You are also required to be clear and concise, so bit of a challenge there!

Your privacy policy will need to include the following in order go comply:

  • Your identity and contact details (as the controller).
  • Identity and contact details of the data protection officer (for large organisations and those special categories of data e.g. sensitive personal data).
  • Who will use the data.
  • Purpose and legal basis for processing.  If legitimate interest is being relied upon, details of that interest (see below for further discussion of ‘legal basis’).
  • Details of transfers of personal data outside the EC, details of safeguards and how to get copies of transfer agreements.
  • How long the data will be stored for, or how the retention period is calculated.
  • A list of the data subjects rights including: the right to object/opt-out of direct marketing, the right to make a subject data access request and (a new right) the right to be “forgotten”.
  • The right, at any time, to withdraw any consent previously given .
  • Whether the data subject has to, by law, provide the information, or provide it as part of the contract with you and the consequences of not providing the information.
  • The right to complain to a supervisory authority.
  • Details of any automated decision making.

There are some differences if the data is collected by a 3rd party.  The above will apply when you collect personal data directly from the data subject.

There is also the possibility that a set of standard icons may be introduced to show how data is being used.  While it’s not a requirement to use icons yet, it could become one.

Legal basis

Having a ‘legal basis’ for using personal data is not new to the GDPA.  It simply means that you have to have a good reason for using the personal data you said you are collecting.  Under the GDPA you must identify and document which of the allowed legal bases (reasons) that apply.

The legal bases you can use are:

  1. Consent.
  2. For the performance of a contract with the data subject or to take steps to enter into a contract.
  3. For compliance with a legal obligation.
  4. To protect the vital interests of the data subject or another.
  5. Necessary to perform a task in the public interest or exercising an official authority.
  6. Legitimate interest except where overridden by the rights, interests or freedoms of the data subject.

N.B. Other legal bases are available that relate to special categories of data.

For many small businesses, bases 1,2 and 6 are likely to be the most relevant.  The GDPA will make it more difficult to obtain a data subject’s consent and they will have the right to revoke that consent at any time.  The concept of ‘legitimate interest’ is not new to the GDPA and could cover business activities such as marketing, sales, research and even debt recovery.

A layered approach

All of the above should be give at the time the data is captured.  That, however, might be difficult to reconcile with the requirement to also be clear and concise.   Your privacy policy may actually end up being quite long (with additional sections on cookies, external links etc).

The ICO suggest that best way to present all this information is likely to be a ‘layered’ approach where you provide a short, clear summary at various points, where personal data is collected, with a link to the detailed privacy policy.  This might mean that you will need to change both your privacy policy page and others across your website.

Have a look at the example given on the ICO website.

What next?

There is nothing you absolutely have to do now to comply with the GDPA since the legislation is not yet in force.  There are, however, some things you can start to do now that will help you comply quickly and with as little disruption as possible.  For starters:

  • Review what personal data you collect.  Make sure you know what data you collect, check that you really need it, and understand what you do with it.
  • Check your existing privacy policy and make sure you are already complying with existing best practices.
  • Consider how you might use a ‘layered’ approach to providing the information in your privacy policy.

If you’re planning to update your website before May 2018, take the opportunity to design in the new privacy features now.

At Clickdocs we’ll continue to watch for new guidance from the ICO and will blog on the subject, from time to time, as useful information becomes available.  In the first quarter of 2018 we will issue an update Privacy Policy template to help websites comply.