UK General Data Protection Regulation (UK GDPR)
Privacy information under the UK GDPR
The UK General Data Protection Regulation (UK GDPR) specifies the types of information that you need to provide individuals with, if you're processing personal data that relates to them.
This is called 'privacy information'. It's best to have this privacy information written down in a document called a 'privacy notice'.
What are privacy notices under GDPR?
A privacy notice is essentially a public statement that explains - at the point of data collection - how you collect, process and use people's data. It helps people understand what would happen to their data if they decide to share it with you. Individuals are entitled to this information under their right to be informed.
Before you start drafting your privacy notice, you need to know what personal data you have and what you do with it. To help you with this you may need to do an information audit or data mapping exercise.
You must also take care that you communicate privacy information clearly, honestly and openly with the individuals.
What is in a privacy notice?
The UK GDPR prescribes the categories of information and the level of detail you must include in your privacy notice.
The key points you may need to address are:
- Who is collecting the data?
- What type of data are you collecting?
- How and why are you collecting it?
- What is the purpose and the lawful basis for processing the data?
- Who can access the information?
- Will you share the data with any third parties?
- Will you transfer the data abroad?
- What safeguards will you put in place for security of this data?
- How will you use the information?
- How long will you store the data for?
- What rights does the data subject have, including to withdraw consent?
- How can the individual raise a complaint?
- Will you be making automated decisions about the individual, including profiling?
What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to, or obtain it from another source.
The Information Commissioner's Office (ICO) has detailed guidance on privacy information, explaining exactly what information you are required to include.
When should privacy information be issued?
The UK GDPR says that you must provide individuals with privacy information at the point of data collection if:
- you are collecting information directly from individuals (eg when they fill in a form)
- you are collecting data by observation (eg using CCTV or tracking people online)
Often, this happens as part of obtaining consent from the user or telling them about legitimate interests.
If you're obtaining information about an individual from a third party, or from a publicly accessible source, you should provide privacy information within a reasonable period after obtaining the personal data, but at the latest within one month.
If, for instance, you plan on:
- using personal data you obtained to communicate with the individual it relates to, you must provide personal information when the first communication takes place
- disclosing an individual's personal data to someone else, you must provide personal information before you disclose the data
One month time limit still applies in these situations.
If you plan to use personal data for any new purposes, you must update your privacy information and proactively bring any changes to people's attention.
Ways to provide privacy information
You can use a number of techniques to provide people with privacy information. For example:
- a layered approach - short notices containing key privacy information that have additional layers of more detailed information
- just-in-time notices - providing information at certain points of data collection (eg during purchasing or interaction)
- icons and symbols - to indicate that a particular type of data processing is occurring
- dashboards - preference management tools that inform people how you use their data and allow them to manage what happens with it
- mobile and smart device functionalities - eg pop-ups, voice alerts and mobile device gestures
You can also use a blended approach. Using more than one of these techniques is often the most effective way to provide privacy information.
UK GDPR privacy notice templates
You can use our sample privacy notice document and customise it to fit the circumstances of your business and the type of processing that you do.
Alternatively, you can use the ICO's template to help build your own privacy notice. The template is especially suitable for small businesses, sole traders and community groups. Download the ICO's privacy notice template (Word, 38K).
Other templates are available on the internet. Make sure that whichever template you use is GDPR-compliant, and that you customise it to reflect exactly what you do with personal data.
This guide does not constitute legal advice and is provided for general information purposes only.