Privacy Policies Explained: Ensuring Transparency Under the GDPR

First, for clarity, let’s understand the naming conventions surrounding privacy policies, as these have become blurred.  In preceding legislation, these notices were formally referred to as ‘Information notices’.  Over time, references have evolved to what is commonly known as privacy notices, privacy information notices or more latterly, privacy policies.  Does this shift in wording matter?  In our experience, the change in terminology has caused some confusion due to other specific references in the UK legislation that require UK data controllers to also document and maintain a ‘data protection policy’.  This is a separate and mandatory obligation when a UK data controller needs to rely upon an exemption, set out in the UK Data Protection Act 2018 (under Schedule 1 Part 1 and Part 4), which exempts UK employers from the need to gain explicit consent for the processing of special category data that is necessary in the context of employment and the administration and management of employees.

Privacy policies, for the most part, are the result of implementing Article 13/14 information notices by publishing them on your organisation’s website for external readership.  Data protection policies, however, are primarily aimed at internal readership to inform members of your organisation about internal management structures, roles and responsibilities, and the principles and compliance behaviours required of internal stakeholders and employees.  Data protection policies may also contain the Article 13/14 information notices for employees, but rarely do.  Data controllers must have both in place to be compliant.

The GDPR legal requirement is clear; all data subjects have a fundamental right to be informed when organisations are using their personal data.  This right is enshrined in the first principle of data protection, in Article 5(1) which states that personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).

The obligation to address the key ‘right to be informed’ (sometimes referred to as the right to transparency) is additionally specified in Article 12.  This requires that any transparency information addressed to the public or to the data subject be concise, easily accessible and easy to understand, that clear and plain language or visualisation be used, and especially simplified when informing children.  

Most importantly, Articles 13 and 14 specify the information a controller organisation must provide prior to collecting or using personal data.  This includes the  information data subjects are entitled to receive prior to or at the same time as the collection of their data directly (Art. 13), and separately when their personal data is collected indirectly from third parties (Art. 14).  The intention of these information notices is to ensure data subjects are provided with clear information about how and why your organisation is using their personal data, and this information must be sufficient to enable them to make decisions over the processing of their data and exercise their rights.  For example, the information provided must be sufficient to allow data subjects to decide whether to give or deny consent for processing.

Acknowledging that GDPR compliance requires you to provide information to both internal and external data subjects, the external privacy policy is a public document that explains how your organisation processes personal data and adheres to data protection rights and principles.  This must be made available ‘prior to or at the point of data collection’.  Some of the key elements that must be contained in the information provided in an Article 13 privacy policy (where the data is obtained direct from the data subject) includes:  

• Identity and contact details: Information about your organisation, as a data controller, and its representative (if it has one), and how to contact its data protection officer (if applicable) or responsible point of contact
• Purpose and legal basis: The reasons why you want to process the personal data (purposes) and the legal grounds for doing so, including, where applicable, details relating to contracts and clear mechanisms for consent
• Data recipients: General details about the types of organisations that will receive the personal data and the names of these recipient entities if you know them
• Data subject rights: Information about the data subject’s rights over the processing of their personal data such as access to, and the rectification and erasure of, their data
• Data retention: How long the data will be stored or the criteria for retaining it
• Data transfers: Information about any transfers of data to third countries or international organisations
• Security measures:  It is good practice to include a description of the security measures you use to protect personal data from unauthorised access, disclosure, loss or destruction
• Automated decision-making: Details about any automated decision-making, including profiling and decisions made through artificial intelligence (AI)
• Right to complain to regulators:  How and where to make a formal complaint to a regulatory body.

‍

‍

In addition to the confusion between website privacy policies and internal data protection policies, URM frequently identifies several key issues.  Many organisations rely too heavily on passive website privacy policies and, even when privacy policies are published, links to them are often hard to find (e.g., written in very  small print in page footers) and therefore fail to meet the ‘easily accessible’ requirement.  Another prevalent issue is the absence of privacy notices, or hyperlinks to published policies, on social media channels, and a lack of privacy notices on mobile apps, leaving users uninformed about how their data is handled.  We also frequently identify organisations failing to meet the requirement to inform individuals of processing personal data ‘prior to or at the point of collection’.  A number of organisations do not clearly separate their privacy notices from other website terms and conditions, making it difficult for users to locate the relevant information.  Finally, the use of legal narratives and excessive jargon often render privacy notices complex and inaccessible, hindering transparency and user understanding.

Ensuring compliance with the GDPR’s privacy policy requirements is not only a legal obligation, but also critical to building trust with data subjects.  By addressing common but easily remediated pitfalls, such as reliance on passive policies, poor accessibility, and overly complex language, your organisation will meet its compliance obligations around privacy policies.  Beyond this, however, it will also enhance transparency, improve user confidence, and reinforce your commitment to responsible data handling, therefore setting your organisation apart from competitors in an increasingly data protection and privacy-conscious culture.