GDPR: What to Consider When Communicating Privacy Information
The need for consent underpins the GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. These notices must be concise and transparent and consent must be able to be withdrawn at any time.
The first principle of data protection is that personal data must be processed fairly and lawfully and for the processing to be fair. The data controller (who determines the purposes for which and the manner in which any personal data are, or are to be processed), in simple terms this is the employer, who is the controller of their employees data, has to make certain information available to the data subjects (the individuals whom the data relates to), so far as practicable: this information should include who the data controller is; the purpose or purposes for which the information will be processed; and any further information which is necessary in the specific circumstances to enable the processing to be fair.
Therefore, when considering your communication about privacy information you may wish to include what you deem as fair, which could include, but not be limited to, the following:
- Using information in a way that people would reasonably expect. This may involve undertaking research to understand people’s expectations about how their data will be used
- Thinking about the impact of your processing. Will it have unjustified adverse effects on them?
- Being transparent and ensuring that people know how their information will be used. This means providing privacy notices or making them publicly available, using the most appropriate mechanisms. In a digital context this can include all the online platforms used to deliver services.
To cover all these elements you will need to take into account the following issues when planning a privacy notice:
- What information is being collected?
- Who is collecting it? How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this be on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
For existing employees, companies will need to roll out employee data processing notices that refer to the new legislation.
For new hires, companies should replace the consent language in these documents with new language referencing one or more of the new legislation.
Get in touch
Want to find out more? Get in touch and discover what Symatrix could do for your business. We’d love to chat.