Events

 

GDPR: Communicating your updated or new policies to your data subjects

 
GDPR: Communicating your updated or new policies to your data subjects

23 April 2018

The General Data Protection Regulation 2016/679 (GDPR) replaces the existing data protection regimes in place throughout the European Union (EU), including the UK. It introduces a number of new obligations on controllers1 and processors2. Compliance with the new regulations will be of even greater importance following the enforcement date of 25 May 2018, because the GDPR substantially increases the fines that can be imposed by the relevant regulatory bodies in the event of a breach – now up to a maximum of € 20 million or 4% of annual global turnover, whichever is the higher.

Our first, second and third articles in this series covered steps 1, 2 and 3 in your journey towards GDPR compliance:

January:  Carrying out a thorough and exhaustive data and information audit to identify your personal data assets,

FebruaryUpdating your existing, or implementing, data protection policies and practices in light of the results of that audit,

March:  Carrying out staff training to ensure that your employees are up to speed with your new data protection policies, practices and procedures.

One of the most important obligations under the GDPR is the overarching and ongoing requirement for transparency in relation to every facet of the processing of personal data. The following is not an exhaustive list but your data subjects must be fully and effectively informed about:

  • who you are as the data controller;
  • how you obtained their personal data;
  • precisely what personal data you are or will be processing;
  • what further information will be required to ensure fair and transparent processing;
  • why you process their personal data (i.e. why was is collected and why is it being used);
  • their rights as data subjects in respect of obtaining confirmation and communication of the personal data being processed; and
  • who is involved in the processing (i.e. do you or do you intend to share the personal data with any third parties).

Ahead of the GDPR’s enforcement date of the 25th May it is important to consider how you will comply with the GDPR’s obligations on transparency for your existing data subjects as well as those whose data you collect or obtain following the implementation of your new GDPR-compliant practices.

It is essential that you publish your centralised privacy policy, comprehensively setting out all necessary information (reference) in order to provide general and constantly available information to all data subjects. However, you must also ensure that this information is actively communicated to your data subjects where relevant.

For new data subjects – it will be helpful to take a layered and multi-pronged approach to communicating with new data subjects by including privacy-relevant information at various relevant locations. The ICO recommends, for example, including a message when an email address is entered which explains that it will be used for customer services purposes. Obviously this is a detail that will also be included in your privacy policy, but incorporating the message at the point of collection will increase your transparency regarding the processing of this data.

For existing data subjects – it will be necessary to revisit what information has already been provided to these data subjects regarding the processing of their personal data in order to confirm whether these details meet the requirements of the GDPR. Where you are making changes or additions to the information provided. The Working Party 29 recommends that these be actively brought to the attention of the data subjects, but at the very least (in the case of minor changes and updates) made publically available, such as visibly on your website).

You can find more information about communicating with your data subjects and the transparency requirements under the GDPR staff training and improving awareness about data protection principles on our webpage and the following helpful Information Commissioner’s Office (ICO) webpages:

If you have any questions, or need any assistance with preparing your privacy notice or developing your communication strategy, please do get in touch

In our next update we will be running a webinar which will set out a final checklist for GDPR compliance.


1 A ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2 A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Related Services