Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

Every individual has the right to know what is happening to their personal data and who has access to it, so to comply with the GDPR, data controllers must provide individuals with information about their data processing activities.

When you collect data directly from an individual, you must tell them how you intend to process their data at the time of collection. This can be done via a link on an email to a privacy policy online, by attaching a privacy policy to an email or by sending a hard copy by post.

If you collect data about an individual from another source, you should provide the privacy policy information the first time the data is used to communicate with the data subject or within a reasonable period of having obtained the data, which should not be more than one month. You must provide the information before you disclose the data to any other recipient.

Your privacy policy must be written in clear, concise language and should be easy to read and understand. Having a good privacy policy will build confidence and trust in how your organisation will treat personal data, and if you are not honest and upfront, you may lose potential business.

The information you must include in your privacy policy includes: 

  • The name and contact details of your organisation
  • The name and contact details of your representative
  • The contact details of your data protection officer, if you have decided that you need to appoint one 
  • Information about why you process the data
  • What your lawful basis is for the processing
  • The legitimate interests for the processing, if indeed legitimate interests are one of your lawful bases 
  • Whom you may share information with and what categories of information you may share
  • The details of any transfers of the personal data to any third countries of international organisations 
  • How long you will retain the data
    Information about the rights individuals have in respect of the processing
  • The right to withdraw consent, this would often apply to marketing
  • The right to complain to a supervisory authority
  • The details of whether individuals are under a statutory or contractual obligation to provide personal data with the details of the existence of automated decision-making or profiling.
  • If the data collected is from a third party, then you should provide details of that source.

Letting people know how you process data by setting it out in your privacy policy and by putting the policy on your website is ideal, but you must actively make individuals aware of it and provide them with easy ways to access this information.