On 7 October 2016, the Information Commissioner's Office (ICO) released a new code of practice (the Code) for privacy notices. The guidelines aim to improve transparency and fairness for individuals when organisations are collecting and using their personal data.
The Code highlights five key areas to consider when drafting new, or amending existing, privacy policies:
The Code includes further guidance on obtaining and recording consent from individuals (where this is relevant) and some examples of good practice, including some standard wording for seeking consent for direct marketing, which has helpfully been tested on members of the public.
Individuals should be given more control over the management of their personal data and how it will be used. The ICO advocates using a privacy dashboard, allowing users to indicate their agreement to particular types of data processing or sharing, and change these settings at any time.
How and when a business communicates its privacy notice is a core part of The Code. The ICO encourages businesses to be innovative and avoid using a single document when other methods of communication would be more effective. Clear and simple language should also be used whenever possible, although The Code acknowledges this isn't always easy when complex technologies and processes are involved.
The Code also includes a privacy notice checklist with key points to help you draft these effectively.
Following this guidance will help you comply with the General Data Protection Regulation (GDPR), although bear in mind you also need to include the further information listed (in the GDPR section of the code/Articles 13 and 14 of the GDPR) to fully comply. If you're wondering how this will be affected by Brexit, the ICO has said it is extremely likely that the GDPR will start to apply before Britain leaves the European Union and, in any case, you will need to comply to do business in the EU.
The ICO can currently award fines of up to £500,000 for failing to prevent a breach of the Data Protection Act 1998 (DPA) and under the new GDPR – coming into force in 2018 - maximum fines will increase to €20m, or 4% of a company's global turnover.
Superscript provides insurance protection for defence costs and expenses as a result of a civil regulatory action, such as breach the DPA or GDPR, as well as the actual regulatory award, civil penalty or fine payable, to the extent that these are insurable by law.
Need further information? Then contact Edward Ventham.