Individuals may need a greater or lesser degree of transparency about the amount of data you hold on them, what and how you will use it. As a general rule of thumb the more detail you hold, the greater and more accurate the picture of the individual becomes.
Combining information from different sources can create a very detailed picture of an individual’s affairs, for example:
– information from several different social media sites, including images
– video and location history.
Organisations that intend to combine information acquired from third party sources have an obligation to clearly and simply explain this and, it’s likely consequences allow the individual to consider what he/she wants you to hold, share or even delete.
If you are intending to collect and/or share data be sure to have read, understood and implement the rules in the ICO’s Data Sharing Code of Practice.
This (collecting and sharing data) is a clear example of where it is appropriate to actively communicate a privacy notice using a combination of techniques or embedded tools, as an individual may not expect this to happen and may find it overly intrusive. A Privacy Notice Icon or other embedded links in email disclaimers or in a Privacy Notice, GDPR portal or Company Website is simple to create and providing the message is clear, should help inform relevant individuals. The ‘hover’ function could also be used to give additional information and further links.
Ruby Datum’s Virtual Data Room solution includes a template set of terms and privacy notice that the users read and accept on either first login, every login or every set amount of days depending on the importance of privacy in the Virtual Data Room. You can also specify custom terms and notices, should you want to change these further either site-side or specific to certain user groups.
GDPR Privacy Notice Checklist.
The ICO has an excellent and clear checklist shown below on ‘What’ personal data you hold. Follow this and you will be in an enviable place regarding compliance:
Decide what to include by working out:
- what personal information you hold;
- what you do with it and what you are planning to do with it;
- what you actually need;
- whether you are collecting the information you need;
- whether you are creating new personal information; and
- whether there are multiple data controllers.
If you are relying on consent, you should:
- display it clearly and prominently;
- ask individuals to positively opt-in;
- give them sufficient information to make a choice;
- explain the different ways you will use their information, if you have more than one purpose;
- provide a clear and simple way for them to indicate they agree to different types of processing; and
- include a separate unticked opt-in box for direct marketing.
Also consider including:
- the links between different types of data you collect and the purposes that you use each type of data for;
- the consequences of not providing information;
- what you are doing to ensure the security of personal information;
- information about people’s right of access to their data; and
- what you will not do with their data.
Remember to review and refine your Privacy Notice. Communicate the Privacy notice clearly and in more than one format. Like everything in Business it must remain dynamic but always remain accessible and easy to understand.