Providing individuals with information about how you or your organisation propose to use the information they provide has been a requirement of the data protection & privacy legislation for many years.
However a recent initiative by the Global Privacy Enforcement Network (GPEN) indicates that many privacy policies, whether from an ‘off the shelf’ template or individually crafted are neither necessarily adequate nor compliant.
The international initiative included 24 data protection regulators from around the world and was led by the UK regulator, the Information Commissioners Office (ICO).
Fuller findings can be found on the ICO website, but here are the main bullet points of the findings in so far as the 30 UK websites checked are concerned:-
- 86% of sites failed to specify how and where information would be stored.
- A requirement under the Data Protection Act 1998 (DPA) Principle 8 and the new General Data Protection Regulations (GDPR), Chapter V.
- 86% did not explain adequately whether they shared data with third parties and who that data would be shared with.
- Again, a requirement under both sets of legislation above
- 79% provided no information to users about how they could request deletion or removal of their personal data.
- DPA: Various rights combined under Principle 6, clarified and enhanced with ..
- GDPR: Right to Erasure, (the right to be forgotten)
What Information must be supplied?
Well, before the what, it’s important to understand how.
This in itself is another right under the GDPR, an individual’s right to be informed.
The link above provides the exact information that must be supplied, so we won’t duplicate it here.
It would also leave the organisation potentially in breach of the GDPR in that personal data shall only be processed lawfully, fairly and in a transparent way, (Article 5, (a)).
Please take the findings from the research initiative as an opportunity, perhaps of a life time, to review how you or your organisation process personal data. It may seem a daunting task, but it will generally only have to be work that needs to be done once. But remember that the introduction of any new technology or ways of processing personal data will require a review (an ideal opportunity to implement privacy impact assessments) and possibly new consent gained from individuals.