Reviewing client privacy notices, and many privacy notices of service providers, we have identified some common problems that it is worthwhile sharing so that you can do a quick check of your business Privacy Notices.
As Privacy Notices should be published online, it is part of the public face of the organisation and quickly flags to regulators that there may be issues with data protection compliance. But it is also important to review them regularly to keep them up to date and consistent with other Privacy Notices published online.
Review dates can really let the side down if they are not within the last twelve months. Many privacy policies currently present a date or last review date of May 2018 which is not confidence inspiring. A review dates indicates when you have not reviewed your materials as well as when you last did! So, take a look at your organisation’s online Privacy Notice to make sure it passes muster. Here are some common problems to look out for.
A common stumbling block is determining the appropriate lawful grounds for processing for particular purposes. It is very common to see a list of the lawful grounds without attributing them to any particular processing purposes, for example here, restating the legal position does not provide the required information:
“How we use information and the legal basis
We are allowed to use your data only if we have a proper reason to do so such as:
- To fulfil a contract we have with you;
- When it is in our legitimate interest;
- When you consent to it; or
- To comply with the law.
A legitimate interest is when we have a business or commercial reason to use your data. This involves us making an assessment of when we can rely on our legitimate interests. “
Although technically correct, this fails to link the legal purposes to the processing purpose, it just restates the law.
Missing information is another problem area, for example, the following sentences do not provide the mandatory information about how long personal data is being retained by this organisation:
“How long do we keep your data?
We only keep your data if there’s a business need or legal requirement to do so. And we’ll keep it only for as long as is necessary, in line with our retention policy.” There is no link to the retention policy.
Clearly this does not inform users of the length of time their data will be held nor give them the information they need to work out how long their data will be held.
Mandy Webster, Data Protection Consultant