Back in 2018 when the GDPR came into force, one of the key pieces of documentation that all organisations needed to implement was a privacy notice. This is the document that tells people what information you hold about them, and what you are doing with it.
Ideally, you would look to review these on a regular basis, but also when you start a new project or venture that changes what you do with personal data.
Why check your privacy notices?
First, it is a legal requirement to tell individuals certain, specific information about what you are doing with their data, so it's always worth checking that you continue to meet this requirement by way of your privacy notices.
There is new legislation in place that governs data protection in the UK, so all references to the old regime should be removed to ensure your notice is up to date.
Increasingly, individuals are more aware of their rights, and willing to make complaints about the way that their data has been handled - usually in the course of a wider complaint. If your privacy notice is not fully compliant, this is an additional issue which can be avoided if you have a compliant notice.
Finally, many individual rights are linked to the legal basis that you are using for specific types of information. If you are not explicit in your notice about which legal basis applies to which type of processing, you may find that complying with a request for erasure or withdrawal of consent is more complicated than it needs to be.
Tips for review
Start with a table listing the types of individual that you deal with on a regular basis (beneficiaries, employees and trustees, donors and supporters etc). For each category list the types of information that you collect, and then the purpose of collecting that information. Once you have that, list the legal basis you are relying on next to the purpose.
The start of your table may include the following headings:
- Category of individual (such as trustee or donor)
- Type of information (such as contact information or bank details)
- Purpose (such as “to comply with the Charity Commission” or “to process donations”)
- Legal basis (such as legitimate interest or legal obligation)
You can then expand the table to cover the other information that you need to provide - such as where the information is stored, security measures that are in place to protect it, the retention period for the information, etc. The table can then be used to check that your notice covers everything.
Can we have more than one notice?
Absolutely - the UK GDPR is not specific about how you provide the information, so how you provide it is up to you. Where you have vulnerable beneficiaries, it will be important to consider how they access the information, and whether it is presented in a way that can be easily understood, so do consider graphics or videos rather than just relying on written statements.
It can also be helpful to separate out employees/volunteers/trustees from beneficiaries and donors, as the types of information collected are very different.
What information do we need to provide?
The information that you need to provide is set out in Articles 13 and 14 of the UK GDPR. The ICO also produces guidance on what needs to be included here: Right to be informed | ICO.
Having compliant privacy notices in place can prevent complaints and the exercise of certain rights from becoming unnecessarily complex. By reviewing and updating your table of information on a regular basis, you can also spot information that is no longer needed/areas where you might need more or different information, and be able to demonstrate to the ICO that you know what you are doing with the personal data that you have.
Vicki Bowles is a barrister and partner at VWV solicitors