Guide

General Data Protection Regulation (GDPR)

Privacy notices under the GDPR

A privacy notice is one of the key documents you will have to produce if you process personal data, in order to comply with the General Data Protection Regulation (GDPR).

What is a privacy notice?

A privacy notice is essentially a public statement that explains - at the point of data collection - how you collect, process and use people's data. It helps people understand what would happen to their data if they decide to share it with you.

Individuals are entitled to this information under their right to be informed. See more on data subject rights under the GDPR.

What should I put in a privacy notice?

The GDPR prescribes the categories of information and the level of detail you must include in your privacy notice.

When writing a GDPR-compliant privacy notice, your focus should be on transparency and communicating clearly, honestly and openly with the individuals. The key points you may need to address are:

  • Who is collecting the data?
  • What data are you collecting?
  • How are you collecting it?
  • What is the purpose and the legal basis for processing the data?
  • Who can access the information?
  • Will you share the data with any third parties?
  • Will you transfer the data abroad?
  • What safeguards will you put in place for security of this data?
  • How will you use the information?
  • How long will you store the data for?
  • What rights does the data subject have, including to withdraw consent?
  • How can the individual raise a complaint?
  • If you will be making automated decisions about the individual, including profiling

What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to, or obtain it from another source.

The Information Commissioner's Office (ICO) produced detailed guidance on privacy notices, explaining exactly what information you are required to include.

When should I give a privacy notice?

If you are collecting information directly from individuals, you must present them your privacy notice at the point of data collection. Often, this happens as part of obtaining consent from the user or telling them about legitimate interests.

If you're obtaining information about an individual from a third party, you should give them the privacy notice:

  • within a reasonable period (typically one month) of having obtained the data
  • when the first communication takes place, if you use the data to communicate with the individual
  • before you disclose the data, if you plan to share it with or transfer to another recipient

If you plan to use personal data for any new purposes, you must update your privacy information and proactively bring any changes to people’s attention.

Learn more about the timescales for providing your privacy notice.

How to deliver privacy notices?

The ICO suggest several techniques you can use to provide privacy information to individuals. For example:

  • a layered approach - providing key privacy information immediately and then expanding or linking to more detailed information for those that want it
  • via just-in-time notices - providing information at certain points of data collection (eg during purchasing or interaction)
  • by using icons and symbols - to indicate that a particular type of data processing is occurring
  • through dashboards - giving the user a link to a dashboard or information management tool, or prompting them to review their privacy settings
  • by deploying mobile and smart device functionalities - eg a video notice, on-screen notifications or voice alerts on a smart phone

See examples of how you can deliver privacy notices.

Making your privacy notice GDPR-compliant

If you had a privacy notice compliant with the Data Protection Act 1998, it is unlikely that it will meet the transparency and other requirements of the General Data Protection Regulation. You will have to review it and very likely:

  • simplify the language
  • improve access to it
  • include additional information required by the GDPR

Your privacy notice should be GDPR compliant from 25 May 2018 onwards.

You may decide to use a privacy notice template - many are available on the internet. However, if you choose to do this, make sure that the template is GDPR-compliant and that you customise it to reflect exactly what you do with personal data.

Rather than using a standard template, our sample privacy notice document can help you to structure your privacy information in a way that addresses the key GDPR requirements. See sample privacy notice for more information.

For further detail on privacy notices, see what privacy information you should provide to individuals.

This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.