In 2018, the EU General Data Protection Regulation, commonly known simply as the GDPR represented a significant modernisation of data protection law and one that took into account significant new developments in technology and new uses of personal data that simply did not exist at the time of the previous legislation, the Data Protection Act 1998. Following the UK’s departure from the European Union, the GDPR (with certain contextual alterations which change little from an SME perspective) is retained in UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and is now known as the “UK GDPR”. Together with the Data Protection Act 2018, the UK GDPR forms the backbone of UK data protection legislation (in addition to other important laws such as the Privacy and Electronic Communications Regulations). These pieces of legislation are often collectively referred to in legal and business documents as “the Data Protection Legislation”.
Note that these Guidance Notes cover UK data protection compliance. If you process personal data relating to individuals outside of the UK, additional rules (such as the EU GDPR) will apply.
At the core of the UK GDPR are the principles of lawfulness, fairness, and transparency. Under these principles, you must have a valid lawful basis for collecting, holding, and processing personal data, you must only use it within the bounds of the law itself, and you must only use it fairly, i.e. it should not be used in a way that is unduly detrimental to individual data subjects, or in any way that is unexpected or misleading to them.
Of central importance to these Guidance Notes is the principle of transparency, which is itself closely related to the individual “Right to be Informed” under the UK GDPR. This essentially envelops all of the above, as you must inform individuals about the personal data you are collecting from (or about) them, the purpose or purposes for which you are using that data, how long you will hold it, and who (if anyone) you will share it with.
This all-important “Privacy Information” must be provided in a manner that is easily accessible to individuals, meaning that you should use clear and plain language to concisely and transparently convey everything that is required to individuals. This, it must be conceded, is not always easy because of the sheer weight of information that the Data Protection Legislation requires you to provide. These Guidance Notes have been designed to set out the information required, to explain that information in detail, and to provide a practical context in order to assist in completing your own Privacy Information.
Part 1. The Information Required
Whatever you decide to call it, your Privacy Information must include the following:
- The name and contact details of your organisation:
- It is important that data subjects know who is using their personal data.
- The name and contact details of your representative (if applicable):
- If you provide products or services or monitor the behaviour of individuals in the EEA but are based outside of the EEA, you must appoint an EEA-based representative. As of 1 January 2021, this will apply to businesses in the UK.
- The contact details of your data protection officer (if you have one):
- Some organisations are required to appoint a data protection officer by law. Even if you are not required to have one, you are free to do so (and it can be a good idea to have a single point of contact and responsibility for data protection matters).
- Details about the personal data that you collect:
- It is important to consider the breadth of the definition of “personal data” when providing this information. Remember that personal data is ‘any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person’. Online identifiers in particular are likely to be a common form of personal data collected by many businesses.
- Details about how you collect personal data:
- In many cases, this will be obvious from the context. Personal data collected, for example, via an online registration form to sign up to a website or via a paper order form at your premises will be quite clear to the individual. Less clear, however, is data collected behind the scenes such as that collected via cookies and similar technologies. Your Privacy Information should cover this. If you collect personal data, it is best to ensure that you explain how, whether it seems obvious to you or not.
- The purpose or purposes for which you process personal data:
- Individuals have a right to know how you will use their personal data and your purposes for collecting it. It is important to ensure that you clearly identify the purpose(s) for which you will process personal data and ensure that those purposes are lawful and fair.
- The lawful basis or bases on which you rely to process personal data:
- A range of lawful bases are available to you under the Data Protection Legislation, including consent, the need to process personal data in relation to a contract, compliance with a legal obligation, performance of a task in the public interest or for official functions, and legitimate interests (the most flexible choice).
- Your legitimate interests for processing personal data (if this is your chosen lawful basis):
- This is a flexible basis upon which a lot of personal data processing is justified. Care must be taken, however, to ensure that it is a valid choice. This not a one-size-fits-all solution and is more likely to be suited to uses of personal data that individuals are reasonably likely to expect and which have a minimal impact on their privacy. Details of the legitimate interests you are relying on must be provided to individuals clearly.
- Where personal data is obtained from a third party rather than the individual to whom it relates, the category or categories of data involved.
- Details of any third parties to whom you transfer personal data (the recipients or at least the categories of recipient):
- While it may not always be practical or possible to provide full information, providing as much detail as you can under this heading is good for transparency. If possible, it is a good idea to provide links to the privacy notices or policies of those third parties.
- Details of any transfers of personal data to non-UK countries (known as “third countries”) or to international organisations (if applicable):
- It is important to keep in mind that this goes beyond direct transfers of personal data and can include the hosting of data electronically by a third party service provider in a non-UK country or simply making data available to an organisation situated outside the UK.
- From 1 January 2021, the UK itself, from an EU perspective, is a third country. At present, transfers of personal data from the UK to the EEA are permitted as before. Furthermore, under the terms of the EU-UK Trade and Cooperation Agreement, EEA to UK transfers will also continue to be permitted during a temporary period of up to six months, pending an EU Commission adequacy decision as to the UK’s data protection legislation.
- You should also state which safeguarding mechanism applies, whether it is an adequacy decision / regulation, model clauses, binding corporate rules, individual consent, etc. Following the end of the Brexit transition period, transitional provisions will ensure that existing EU adequacy decisions and approved safeguards will continue to be recognised in the UK. The UK will also be able to make its own adequacy decisions (“adequacy regulations”) and approve further safeguards. (Note, however, that during the temporary period mentioned under the previous point, such decisions and safeguards will be subject to EU approval. This is, however, unlikely to significantly impact your choices as a business as the Information Commissioner’s Office is unlikely to provide details of such safeguards until they are approved and ready to use.)
- Your retention periods for personal data (or how retention will be determined if certain personal data does not have a fixed retention period set in advance):
- Always remember that you are only permitted to keep personal data for as long as you need it in light of the purpose or purpose(s) for which it was originally collected. For some data, retention periods are fixed by law, but in many cases, you will need to make the determination yourself.
- Details of individual data subjects’ rights as provided for in the UK GDPR including those relating to the processing of their personal data, their right to withdraw consent (if consent is your lawful basis for using their personal data), and their right to complain to the Information Commissioner’s Office:
- Individuals have a range of rights under the law and part of your job when providing Privacy Information is to set those rights out, along with details on how to exercise them. Where possible, providing easy mechanisms such as controls, preferences, or easy-to-use forms for individuals to exercise their rights can be a positive step.
- Where personal data is obtained from a third party rather than the individual to whom it relates, details of the source.
- Details of any legal obligation that data subjects are under to provide personal data, i.e. a statutory obligation or a contractual one, and of any possible consequences of failing to provide that personal data.
- If you carry out automated decision-making (including profiling) on the personal data, details of that processing including meaningful information about the logic involved and the envisaged consequences of the processing for the individual data subject.
As noted above, you must provide this information in a concise and user-friendly manner. It is also important to consider when to provide Privacy Information.
If you are collecting personal data directly from data subjects, you should supply this information at the time of collection. This approach is commonly seen online with privacy policies or privacy statements that users are required to read and accept when signing up to a website.
If, on the other hand, you are collecting data from a third party, it will not be possible to provide Privacy Information to the individual data subjects concerned at the time of collection. Instead, you must provide the information as follows:
- Within a reasonable period of obtaining the personal data from the third party and, in any case, no more than one month thereafter; or
- If you intend to communicate with the data subject, when your first communication is made, at the latest; or
- If you intend to disclose the personal data to another party, when that personal data is disclosed, at the latest.
Note also that if you are providing software applications, you should provide links to the relevant privacy information in the applicable stores. All major platforms including iOS, Android, Windows, and macOS allow publishers to provide specific links to their privacy policies from app pages in their respective stores. This helps to ensure that individuals can read your Privacy Information before downloading and installing anything. It is also important to ensure that your Privacy Information is accessible from within your software too.
Unsurprisingly, a great deal of information about the UK GDPR focuses on privacy online. Thought may also need to be given to the availability of Privacy Information on your premises. In some cases, it may be appropriate to provide privacy information alongside documentation designed to collect data. In other cases, displaying a privacy notice in clear view of, for example, your reception desk or till can be helpful. Furthermore, even if you do not collect personal data through your website or offer any facilities such as e-commerce, putting your “offline” privacy notice on your website can be a good way of increasing its accessibility for your customers.
The next question is how to present the information to individuals, ideally without overwhelming them. The Information Commissioner’s Office makes the following suggestions:
- A layered approach – splitting the information up into short sections which can be expanded or collapsed, thereby making for easier navigation and reducing the likelihood of information overload by presenting individuals with large bodies of endless text;
- Dashboards – privacy preference settings that inform individuals how their personal data will be used and how they can control it (we would suggest that providing everything required in this way would be difficult);
- Just-in-time notices – focused privacy information delivered at the time you collect specific pieces of information about individuals (this could work better in some scenarios than others as many organisations collect most if not all data at the same time);
- Icons – used, in essence, to mark-up the existence of particular types of personal data processing; and
- Mobile and smart device functionalities – for example, pop-ups, voice alerts, and gestures.
While it is clear that the Information Commissioner’s Office is trying to suggest a range of helpful methods that make complying with the right to be informed and the transparency principle easier for all concerned, it is perhaps difficult to envisage how some of their suggestions could work in practice. Your mileage, of course, may vary.
Part 2. Background – The Right to be Informed
This is what you’re doing it all for. Transparency may be the over-arching principle, but providing the required Privacy Information to individuals is, in essence, your fulfilment of their right to be informed.
The right to be informed is set out in Articles 13 and 14 of the UK GDPR and, as noted above, ties in directly with the principle of transparency. A key role of the UK GDPR is improving accountability, ensuring that individuals agree to your use of their personal data, and – as is the focus here – ensuring that they have a clear and complete picture of what you are doing with it so that they can make informed choices.
There is no doubt that complying with requirements such as this can be onerous, but it is important to keep in mind that there are many advantages that make it worth the effort. Not least is the fact that by providing the required Privacy Information, you reduce the risks associated with non-compliance, which can include substantial fines.
A small business might well consider themselves low on the Information Commissioner’s list of priorities, but by showing a willingness to be transparent about your use of personal data, you may benefit from improved levels of trust which not only improve your business’ reputation but may even mean that individuals are more willing to provide useful personal information about themselves.
Part 3. Exceptions
As important as the right to be informed is, there are some limited exceptions. You are not, for example, required to provide data subjects with information that they already have when collecting personal data from them.
If you collect personal data from third parties, you do not need to provide privacy information to the data subjects whose data is involved where:
- They already have the required information;
- It would be impossible to provide the privacy information;
- It would involve disproportionate effort to provide the privacy information;
- Providing the privacy information would seriously impair (or make impossible) the achievement of the objectives of the personal data processing;
- Obtaining or disclosing the personal data in question is a legal requirement; or
- You are subject to an obligation of professional secrecy regulated by law that covers the personal data in question.
It is important to note that the second and third points above apply in particular to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and related safeguards set out in Article 89 of the UK GDPR (as supplemented by section 19 of the Data Protection Act 2018). This suggests, therefore, that SMEs using personal data for business purposes would struggle to justify relying on the exceptions.
Furthermore, whatever your justifications for relying on an exception, it is important to document your decision-making process and final choice, as is the case with all decision-making and management relating to data protection.
Even if an exception could apply, it is advisable to make your Privacy Information publicly available, so as to increase the chances that affected data subjects will see it. As a general rule, however, particularly in the SME business world, we would suggest that providing Privacy Information directly as a matter of course will be the preferred choice.
Part 4. Drafting Privacy Information – Language
As noted above, it is important that you present Privacy Information in a concise and user-friendly way. An important part of this is understanding your audience. Privacy Information presented on a business-to-business website for professional services may, for example, be presented in a more technical manner than a business-to-consumer website offering goods or, an example requiring even further tailoring, a website targeted at young people. In any case, it is good practice to avoid technical and legal jargon as much as possible.
The Information Commissioner’s Office recommends testing your Privacy Information out on your target audience, amending it as necessary based upon user feedback.
You should also ensure that you regularly review your Privacy Information to ensure that it is up-to-date with your actual use of personal data as well as the latest changes in the law, official guidance, and best practice.
Part 5. Dealing with Change
The ways in which a business uses personal data can be relatively fixed or relatively fluid, depending upon the nature of the business and the way in which new projects are handled. As covered in detail in our other Guidance Notes on Data Protection Impact Assessments and Data Protection Audits, it is important that any new uses of personal data are properly managed.
If a new use of personal data is compatible with your original lawful basis for processing, you may be able to continue with the new processing without further action, unless your original basis was consent. If, on the other hand, the new use of personal data is different from the original use, you must identify and document a new lawful basis for processing it.
Consequently, your Privacy Information will need to be changed to ensure that data subjects are kept fully informed of the ways in which your business uses their personal data. If any changes are made, it is important that you bring those changes to the attention of the affected data subjects.
Part 6. Dealing with Other Organisations
It is quite common for one organisation’s use of personal data to involve other organisations. In some cases, these third parties will be working the personal data in some way or another under the instructions of your business. In such cases, the third party will be a data processor. In other cases, personal data may be shared on a more equal footing, with the recipient left to determine what they will and will not do with the data, meaning that the data will have been shared between two controllers.
Regardless of the context, the sharing of personal data will have an impact on your Privacy Information. As stated above, if you obtain personal data from third parties rather than from the data subjects to whom the data relates, this will affect the timing of your provision of the Privacy Information as well as its content. Similarly, if you share personal data that you have collected with others, you must tell the data subjects concerned either the names of the organisations you are sharing their data with or at least the categories that those organisations fall under.
Sharing Personal Data with Other Organisations
It is important that data subjects know who, if anyone, you are sharing their personal data with, irrespective of whether the recipient of the personal data is acting as a data controller or a data processor.
The UK GDPR requires you to identify the recipients of the personal data or, at the very least, the categories of recipient. It may be the case, for example, that a contractor with whom you share customer information for processing purposes has commercial reasons for keeping the identities of their clients confidential. In such a case, you could simply identify them by their category (e.g. IT service provider) rather than identifying them directly. What matters is that the information given to data subjects is meaningful and gives them a clear picture of what is happening with their personal data.
Wherever possible, individual data subjects should be given a choice. This will not always be practical, but wherever it is, a choice and a simple way to exercise that choice should be given.
Obtaining Personal Data from Other Organisations
If you obtain personal data, for example by buying it, from a third party, you are still required to provide Privacy Information to the data subjects involved unless you are able to rely on one of the exemptions outlined above in Part 3. As we have already observed, however, we would consider it less likely that one of these exemptions would apply to the typical small business.
If an exemption does apply and you determine that providing Privacy Information would involve disproportionate effort or would be impossible, you are still required to find ways of mitigating risks associated with processing the personal data involved. Conducting a Data Protection Impact Assessment is the best way to achieve this.
As explained in Part 5, above, you must also ensure that data subjects are made aware of any change in purpose and the lawful basis for any new processing in cases where personal data is being used for a purpose different to that for which it was originally collected.
As also noted above, while you are not expected to provide Privacy Information at the time personal data is collected in this way (nor could you, of course), you are required to provide it within a reasonable period of obtaining the data, and no later than one month (or, if earlier, if you communicate with the data subjects concerned, or transfer the personal data to another party).
Obtaining Personal Data from Publicly Available Sources
Even if personal data is drawn from publicly available sources, it is not a free-for-all. The Privacy Information requirements continue to apply unless an exemption applies (as above).
As when obtaining personal data from a third party, risks must be mitigated, and a Data Protection Impact Assessment conducted if you decide that it is impossible or would involve disproportionate effort to provide Privacy Information.
Even though personal data may be publicly available, individual data subjects still need to be kept informed and their personal data protected from misuse. If your plan is to use their personal data in a way that might be unexpected or intrusive (the Information Commissioner’s Office gives combining data from multiple sources as an example), it is important that clear information about that processing is provided.
As above, Privacy Information must be provided within a reasonable time, and no later than one month after obtaining the personal data in question (or earlier, as appropriate).
Part 7. Artificial Intelligence – Automated Decision-Making
AI and machine learning are as common in tech marketing now as the venerable phrase “making the world a better place”, but they are most certainly real and increasingly applied in the business world. While at this stage, it may be reasonable to assume that most small businesses will not be using AI, the increasing availability of new technology tools could make it a reality for many sooner rather than later.
AI can take many forms and in business is particularly useful for automated decision-making – something that the UK GDPR has a particular focus on in places. If such automated decision-making has ‘legal or similarly significant effects’, it is important that your Privacy Information explains what personal data will be used in that way, why it is relevant, and what the impact will likely be on the data subjects concerned.
In some cases, as new technologies emerge, it may be that existing personal data – a customer database, for example – will be used in new ways with those new technologies. It is always important to remember that, as stated above in Part 5, if you are using personal data for a new purpose, individual data subjects must be informed before you start and, if necessary, you must obtain fresh consent for the new purpose (if consent was your basis for using the personal data originally).
Part 8. Conclusions
At the core of the UK’s data protection regime, consisting principally of the UK GDPR and Data Protection Act 2018 are the principles of lawfulness, fairness, and transparency. These three principles are inextricably linked, not only to one another, but also to the rights bestowed upon individual data subjects.
Personal data can be an extremely valuable business asset. In many cases, day-to-day business functions could not take place without it, but increasingly it has further value. The law recognises and supports this value but seeks to counterbalance it by protecting individuals’ interests and ensuring that organisations treat them, and their personal data, fairly and openly.
Providing comprehensive and user-friendly Privacy Information is a key ingredient in the data protection mix. It may, at times, be arduous, and may also have the unfortunate by-product of highlighting personal data use that you may feel your customers would object to. Ultimately, however, the benefits of complying with the all-important right to be informed, should outweigh the costs. Not only is your own position more secure, having reduced your exposure to penalties for non-compliance with the law, but a trusting and loyal customer base goes a long way.