The General Data Protection Regulation (GDPR) which takes effect on May 25, is a wide-ranging and complex piece of legislation – with very sharp teeth. Non-compliance could cost a business €20m or four per cent of global turnover, whichever is the greater.

An integral element of GDPR is a requirement for organisations to provide individuals with extensive information about the processing of their personal data.

This means you must have a privacy policy describing what, how and why personal data are collected and used. Failing to present your privacy policies properly, or not including specified information, could result in a substantial financial penalty.

GDPR requirements in a nutshell

Articles 13 and 14 of the GDPR set out the content that must be included in a privacy policy. GDPR-ready privacy policies must include the following:

  1. Details of your identity as the ‘data controller’
  2. What kind of personal data is being collected – such as names, addresses, card information, photographs and technical information including IP address
  3. The purpose and legal basis for processing
  4. How personal data is collected – for example whether it is provided by the data subject or collected through cookies
  5. Why personal data is collected – for instance processing card details for payment before shipping a product to a customer
  6. When personal data is shared
  7. When personal data is transferred outside of the European Economic Area (EEA) and what protections are in place to safeguard the personal data
  8. What choices individuals have in relation to data being shared
  9. How long personal data is kept – and if no time frame can be provided, how the retention period is to be calculated
  10. What rights individuals have – including the right to be deleted (see data subject rights below)

What you should know about GDPR: Data subject rights

GDPR gives individuals enhanced rights to find out what information is held about them. The new regulation means the privacy policy must make this very clear to the data subject.

Data subjects have the right to:

  • access personal data held about them
  • complain about processing (such as direct marketing)
  • data portability
  • object to processing undertaken by the data controller
  • complain about automated decision making
  • the updating of personal data
  • to be deleted or ‘forgotten’

The implications of the legal basis for processing

The legal basis for processing can be the individual’s consent; that processing is part of the fulfilment of a contract; or for the legitimate interests of the business. The most suitable legal basis should always be selected for any given processing activity.

Where the legal basis for processing is legitimate interest, businesses must also explain precisely what this is in their privacy policies.

Why it is important to understand what consent means

If the processing hinges on the data subject’s consent, this should be stated in plain English in the privacy policy. In addition, data subjects should be informed that they can withdraw their consent at any time. Consent also needs to be verifiable. This means efficient record keeping is essential.

What GDPR says about sharing personal data

In addition, the privacy policy should explain who the data controller will share personal data with, such as the data controller’s service providers and sub-contractors.

If your business is sharing personal data with third parties that want to rely on consent collected by the business – such as for direct marketing – the third parties must be specifically named in the consent request, rather than simply mentioned in the privacy policy.

Transferring personal data outside the EEA

GDPR means if personal data is processed outside the EEA, organisations must make this clear, as well as setting out which countries the personal data may be processed in. The privacy policy should also explain whether these countries are considered by the European Commission to have an adequate level of data protection.

For further assistance on getting your privacy policy GDPR ready, contact Taibah Rehman Khan on taibah.rehmankhan@whnsolicitors.co.uk or 0161 761 8091