Roythornes Banner Image

Blogs

  • Home
  • Blogs
  • Corporate and Commercial
Services
People
News and Events
Other
Blogs

Why Every UK Business Needs a Privacy Notice

View profile for Julia Seary
  • Posted
  • Author

The UK data protection law requires all businesses which are collecting, receiving and dealing (ie. ‘processing’) personal data to adhere to the ‘transparency principle’ - i.e. to ensure transparency with the individual whose personal data is being processed. In order to comply with this legal requirement, organisations should have in place a clear Privacy Notice which is made available or easily accessible online.

What information should be included in the Privacy Notice?

  1. Information identifying the controller organisation which is processing the personal data: This includes documenting the following: (i) name; (ii) registered address; (iii) contact details; and (iv) identity of your data protection officer if appointed.
  2. Document the type of data being processed and reasoning for doing so: (i) the types of data being collected; (ii) the purposes; (iii) the lawful basis for doing so; (iv) confirmation as to whether there is any automated decision making; (v) how long the personal data will be retained. It can be helpful to analyse this on a data flow by data flow basis.
  3. How to deal with third parties: you need to disclose the identity of all specific recipients or categories of recipients to whom information will be disclosed. It may also be worth including a link to their privacy notices if they will also be acting as a controller.
  4. How to manage information received: If personal data will be received from outside the organisation, you will need to identify where this information originates.
  5. Identify where personal data will be processed: you will need to document all locations where personal data is processed and if you are transferring personal data to any third countries (ie. any country outside the UK), you will need to disclose this fact and consider whether you have in place the necessary legal protections.
  6. Consider what rights the individuals have - including the right for personal data correction, access, deletion, withdrawal of consent – and document these rights in the privacy notice so that the individual is made aware of his/her legal position.
  7. Include wording around the Information Commissioner's Office (ICO) and the individual’s right to complain.

Timing Considerations

In circumstances where an organisation has directly collected the information from the individual, it must provide the information listed above in the form of a Privacy Notice at the time of collection.

If, on the other hand, the organisation has received the personal data from a third party or collected it indirectly, the Privacy Notice must be provided: (i) within one month of the date from which the information is received; or (ii) at the time at which the organisation actually communicates with the individual or provides the personal data to somebody else (if earlier).

The Privacy Notice must be represented if it is altered it in any substantial way, or if the organisation changes the purpose of the processing and wants to re-use the personal data for that process.

Are there any transparency requirement exceptions?

There are some exceptions, but they are exceptionally narrow in their application. For example, the transparency information does not need to be provided if to do so would require disproportionate effort (but do note that this is an exceptionally high bar and unlikely to apply in most scenarios).

How should the Privacy Notice be delivered?

You will often see an online Privacy Notice published with certain internal notices, such as the organisation’s employee privacy notice or a candidate privacy notice. In terms of approach, the Privacy Notice can be online and the information fairly generic unless the organisation has as specific audience type such as children who are entitled to expect language to be adjusted to that it is age appropriate. Privacy Notices should not be so verbose that they are difficult to interpret and thus, counter-productively fall foul of the transparency principle. The EU tends to have a more detailed approach to Privacy Notices than the UK, but organisations must ensure that all relevant information is included. 

A layered approach in delivering the information can be helpful: putting more important information right at the top, the more intrusive processing, and then flowing down to some of the more generic language. Some organisations also use a variety of methods of delivering the information – e.g. ‘Just In Time’ notices where information is communicated at the time an individual is taking action / clicking the button. There are also some novel ideas in the market, such as LEGO who have produced a gamified version of their privacy notice which looks very much like their product.

If you require any assistance regarding Privacy Notices, please don't hesitate to contact a member of our Corporate and Commercial team.