Example Fair Processing Notice - GDPR
Under the General Data Protection Regulation (GDPR), we now have to supply data subjects with Fair Processing Notices (FPNs) that contain significantly more information than they do under the Data Protection Act 1998. This is in order to meet new requirements about being transparent and providing accessible information to customers / individuals about how you are going to use their personal data so that they are fully informed and are aware of how they can exercise their rights under the GDPR.
Fair Processing Notices (sometimes referred to as Privacy Notices), set out the information you need to provide to the individual under the new GDPR rules. The format they will need to take depends on whether the information is gained from consent or third parties, or a combination of the two, and whether there is automated profiling or decision making involved.
In all cases, some information is mandatory in order to be compliant with the first principle - information relating to the identity of the data controller, specific reference to the purpose and legal/legitimate basis for processing, details of the third parties you may send the data to, and details of any transfers to non-EU countries, along with safeguards you are undertaking. In addition, they need to include reference to the retention period, a list of data subjects' rights, the right to complain to the ICO, and, if relevant, that automated decision making, including profiling, may take place, the basis on which this will happen and the likely effect this will have on the data subject.
Whatever information is contained, it's important that it is presented legibly, in a reasonable font size, and written in easily understandable language that avoids jargon or overly legalistic terminology.
Crucially, where information is provided by consent, the individual must be given a genuine choice as to whether they agree to the processing, as well as being made aware of the opportunity to revoke that consent. This should be covered in your procedures, and should always be recorded - this will ensure that you're able to prove compliance if requested by the ICO.
Whilst the changes required under the new law are certainly extensive, the new rules also represent the opportunity for firms to re-appraise transparency and what it means for their relationships with their customers. And whilst it's understandable that some firms may feel that customers are not likely to read notices in full, there is recent evidence from the ICO that data subjects do have real concerns about how their data is used. The new GDPR provides the perfect opportunity for firms to get ahead of the game here, building confidence in how their organisation uses personal data.
We have provided an example of what a FPN could look like, and have annotated it with the GDPR Articles which dictate the content for your ease of reference.