GDPR-compliant privacy notice structure

The fundamental purpose of a privacy notice under GDPR and the UK Data Protection Act 2018 is to inform the data subject about your processing of their personal data so they can exercise their rights in relation to that processing. It is not a public relations document or a set of ‘terms and conditions’, but a legally binding unilateral statement of your obligations to the data subject.

A privacy notice must therefore be simple to understand, must accurately express the processing you perform and must support the exercise of the data subject’s rights in respect of the specifics of your processing. For example, the data subject must be able to clearly identify and object to a particular purpose or the processing of a specific data category in a given context without confusion with any other purposes or processing. Thus completeness, detail and clarity are essential to fulfilling the legal requirements for transparency and accessibility.

It is not compliant to over-generalise the descriptions of your processing, to fail to justify it as lawful and necessary, or fail to explain adequately the data subject’s rights in relation to it. In aid of accessibility, a separate privacy notice should ideally be created for each data subject category, with a title (and any web link to it) clearly indicating the category of data subject to whom it relates. Where your processing affects only a small number of data subject categories and the details of processing are simple, the individual notices could be presented as sections of a single document, but the sections relevant to different categories of data subjects should be clearly identifiable by them.

Long, complicated privacy notices should be avoided, so in general consideration might usefully be given to creating multiple data subject-specific documents. We usually recommend clients as a minimum to segregate privacy statements relating to internal (e.g. staff) data subjects, suppliers and customers from each other in the interest of maintaining the public image of the business.

We recommend this structure for a data subject category-specific privacy notice:

[1] A brief statement identifying the category of data subject and the context of all the processing to which the notice relates (e.g. ‘This privacy notice applies to individuals acting in the capacity of representatives of suppliers to our business.’)

[2] Your corporate details (as per Companies legislation) and an indication of the company’s general status as Data Controller or Data Processor as applicable to this category of data subject with regard to all the purposes listed in [4]. However, where your business acts as a Data Controller for some of the listed purposes and a Data Processor for other listed purposes, your status should be indicated in [4] for each purpose individually, rather than being specified in general here.

[3] The contact details of the Privacy Officer or other party responsible for managing data protection for your business (ideally both electronic and postal contacts to permit choice).

[4] Multiple business purpose-specific sections relevant to the data subject category, each containing:

[4a] A statement of the legitimate purpose for the processing (e.g. ‘For the purpose of negotiating with and entering into contracts with corporate business suppliers’).

[4b] A business justification for the processing of the data subject’s personal data for this purpose (e.g. ‘In order to do this we need to process some of your personal data because you serve as our contact with the business supplier’.

[4c] A list of the categories of personal data processed for this purpose.

[4d] A statement such as: ‘The lawful basis relied on for this processing is ...’ (select and include the single most appropriate lawful basis from the options in Article 6 of the GDPR) ‘because ...’ (provide a brief justification for the lawful basis selected being appropriate).

[4e] A statement indicating any sharing with other businesses (even within the UK or Europe) or transfers of the personal data outside the European Economic Area. Sharing can often be expressed in general terms (e.g. ‘credit reference agencies’), but there are some circumstances under which the specific partners to sharing or transfer need to be identified more explicitly. This is dependent on context, and the advice of the Information Commissioner’s Office or specialist lawyers should be sought in case of doubt.

It is not necessary to indicate the negative if no sharing or transfers take place, but it is essential not to overlook even minor instances of sharing or transfers, for example the use of cloud offerings such as web analytics, customer survey or bulk emailing services.

[4f] A statement of the retention regime for this personal data: either a time period or the basis on which a retention decision is made e.g. ‘We will retain this personal data for this purpose until either you or the business supplier inform us that you no longer represent them.’

4g] A list of the data subject rights in respect of this purpose and processing. Where a right is demonstrably irrelevant or can not effectively be exercised in the context of the lawful basis, the purpose or the relationship with the data subject it should be omitted from the otherwise standard list of rights per Articles 15-22 of the GDPR.

If upon drafting a privacy notice it is established conclusively that the list of exercisable rights is identical for all listed purposes, the list of rights may be appended to the end of the entire privacy notice rather than being repeated in each purpose section. However, where the list of exercisable rights for any one or more listed purposes differs, all purpose sections should include their own individual lists of rights to avoid confusion between the general and specific cases.

[5] Any supplementary purposes compatible with [4a] (e.g. archiving) that process the personal data in [4c] should be presented in the same manner as the main purpose, with their business justifications, lawful bases, retention criteria and data subject rights. The descriptions [4a] of these compatible processes should clearly indicate that they are supplementary to a specific identified main purpose and state in what way they are compatible with it.

The fundamental requirement for creating a compliant privacy notice is adequate research into what your business actually does day to day. Most failures result from senior management making assumptions about processing rather than finding out the facts, or worse, the IT department just being told to examine the CRM database for what is stored.

It is also essential, though, to explain your findings in a way your data subjects will understand. Consequently, in fulfilment of the transparency obligation (Article 12 para. 1 of the GDPR) it is important that every privacy notice is sufficiently detailed, but short, clearly presented and expressed in language accessible to the category of data subject to which it relates.

Finally, as your privacy notice is a legally binding undertaking on the part of your business to its data subjects, non-mandatory expressions of intent, obligation or performance should not be included in it to avoid creating unnecessary exposure to challenge and complaints.

Mike Barwise
Director, BiR
15/06/2018