GDPR: Communicating your updated or new policies to your data subjects
The General Data Protection Regulation 2016/679 (GDPR) replaces the existing data protection regimes in place throughout the European Union (EU), including the UK. It introduces a number of new obligations on controllers1 and processors2. Compliance with the new regulations will be of even greater importance following the enforcement date of 25 May 2018, because the GDPR substantially increases the fines that can be imposed by the relevant regulatory bodies in the event of a breach – now up to a maximum of € 20 million or 4% of annual global turnover, whichever is the higher.
Our first, second and third articles in this series covered steps 1, 2 and 3 in your journey towards GDPR compliance:
One of the most important obligations under the GDPR is the overarching and ongoing requirement for transparency in relation to every facet of the processing of personal data. The following is not an exhaustive list but your data subjects must be fully and effectively informed about:
Ahead of the GDPR’s enforcement date of the 25th May it is important to consider how you will comply with the GDPR’s obligations on transparency for your existing data subjects as well as those whose data you collect or obtain following the implementation of your new GDPR-compliant practices.
For existing data subjects – it will be necessary to revisit what information has already been provided to these data subjects regarding the processing of their personal data in order to confirm whether these details meet the requirements of the GDPR. Where you are making changes or additions to the information provided. The Working Party 29 recommends that these be actively brought to the attention of the data subjects, but at the very least (in the case of minor changes and updates) made publically available, such as visibly on your website).
You can find more information about communicating with your data subjects and the transparency requirements under the GDPR staff training and improving awareness about data protection principles on our webpage and the following helpful Information Commissioner’s Office (ICO) webpages:
If you have any questions, or need any assistance with preparing your privacy notice or developing your communication strategy, please do get in touch
In our next update we will be running a webinar which will set out a final checklist for GDPR compliance.
1 A ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.