Privacy Notices… are yours legally compliant?
Another month, and another GDPR blog… sorry! However, we’re getting increasing numbers of calls from practices asking us about Privacy Notices on their websites. This is a REALLY important part of the new Data Protection landscape, and it’s an easy one for you as a practice to be pulled up on – anyone can tell whether or not you’re compliant after a few minutes browsing your website! Fortunately, though, it’s also an easy one to fix… So in this blog, we’re going to take a quick look at Privacy Notices and give you some pointers on how to get these vital but irritating documents ready.
What is a Privacy Notice?
I’ve already got one, is that good enough?
Unfortunately not – the GDPR includes a LOT of extra information that you will need to incorporate – including a range of new Rights that Data Subjects (i.e. your visitors and clients) must be specifically informed of.
Does a cookie-notice count?
No – it’s necessary, but on its own, it doesn’t come close to meeting the requirements!
What does it need to include?
At the most basic, a Privacy Statement must include the following information:
1) What it is (yes, honestly!). There must be a section explaining “what the purpose of this Notice is”. This section should also include the revision date of the Statement.
2) A list of all the personal information you collect – and this isn’t just about the website, but you as an organisation. So you not only store people’s email addresses, but their address, contact number, pet’s details, payment information etc. etc. etc. It should also state clearly when, where and how you collect that information.
3) How you use that information. This should include your legal basis under the GDPR (generally either consent or legitimate interest or both) for collecting each piece of information listed above, and then why you keep it and what you do with it. You should also specify what will happen if a client, visitor or user fails to provide that information.
4) Who you share that information with – a full list of EVERY data processor you use. This might include us, your PMS provider, your email provider, Facebook and Twitter… anyone who might have access to the data you store.
5) How you store and secure the information, and where it’s held – although only in general terms, for obvious reasons! For example, you MUST state whether data is held outside the EEA – remember, if you use gmail or Outlook, for example, the answer is that yes you do, as these services are hosted in the USA.
6) A statement about data rights under the GDPR and how people can make a rights request:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
7) Finally, it must specify how to contact you, how to complain, and how to escalate a complaint to the ICO.
Wow, that’s a lot! Can we use a generic one, or borrow one from another site?
No – the Privacy Notice MUST be bespoke and customised to your business and your website.
Well can you help?
Yes we can! We can help you write a Privacy Notice, and although we advise you get it checked by your own legal advisors, we can help you to draft a legally compliant one. If you have a website built and maintained by us, this is FREE. If not, there is a small charge, but we can certainly help you!
Remember, the GDPR comes into force on 25th May… you need to be ready by then! If you’d like help with Privacy Notices, or any other part of your digital offering, please get in touch!