On 7 October 2016, the Information Commissioner’s Office (ICO) released a new code of practice in respect of privacy notices (the Code), with the aim of improving transparency and ensuring fairness for individuals when organisations are collecting their personal data.
There are 5 key areas of emphasis emerging from the Code and the ICO recommends organisations take these into account when drafting new privacy policies, or amending their current privacy policies:
- Consent – The Code includes further guidance on obtaining and recording consent from individuals (when consent is being used as a basis for processing) and some examples of good practices, including some standard wording for seeking consent for direct marketing, which has helpfully been tested on members of the public.
- Control - Individuals should be given more control in the management of their personal data, including how it will be used. The ICO advocates use of a privacy dashboard to enable users to indicate their agreement to particular types of data processing or sharing, and to allow users to change these settings at any given time.
- Communication – How and when a business communicates its privacy notice is a core part of the Code. The ICO encourages businesses to be innovative and not use a single document when other methods of communication would be more effective (some examples are provided). Clear and simple language should also be used (which is not always easy when complex technologies and processes are being used).
The Code also includes a privacy notice checklist covering key points to help ensure business draft notices effectively.
Compliance with the approach and good practice recommendations in the Code will help organisations to meet the enhanced privacy notice requirements set out in the General Data Protection Regulation (GDPR). Although organisations will still need to include further information in their privacy notices (listed in the GDPR section of the code/Articles 13 and 14 of the GDPR) to fully comply. The Information Commissioner has said it is extremely likely that the GDPR will start to apply before Britain leaves the European Union and, in any event, businesses will need to comply to do business in the EU.
According to an ICO survey conducted earlier this year, only one in four adults trust businesses with their personal data. Businesses clearly have a lot of work to do to build customer trust and transparency is an excellent starting point. For more information on how we can help you craft an innovative, GDPR-compliant privacy notice, please contact a member of our team.