On 7 October 2016, the Information Commissioner’s Office (ICO) released a new code of practice in respect of privacy notices (the Code), with the aim of improving transparency and ensuring fairness for individuals when organisations are collecting their personal data.

There are 5 key areas of emphasis emerging from the Code and the ICO recommends organisations take these into account when drafting new privacy policies, or amending their current privacy policies:

1. Content – An ‘off-the-shelf’/‘one-size fits all’ privacy policy is not endorsed. Organisations should develop bespoke policies relevant to the data being collected and their intended audience. The Code encourages organisations to map out how information is processed in order to be able to provide individuals with sufficient detail to be informed of how the organisation will use their data. The ICO acknowledges that drafting privacy notices broadly can allow for development in the way a business uses personal data and encourages businesses to align their privacy policies with their house style and approach.

2. Consent – The Code includes further guidance on obtaining and recording consent from individuals (when consent is being used as a basis for processing) and some examples of good practices, including some standard wording for seeking consent for direct marketing, which has helpfully been tested on members of the public.

3. Control – Individuals should be given more control in the management of their personal data, including how it will be used.  The ICO advocates use of a privacy dashboard to enable users to indicate their agreement to particular types of data processing or sharing, and to allow users to change these settings at any given time.

4. Communication – How and when a business communicates its privacy notice is a core part of the Code. The ICO encourages businesses to be innovative and not use a single document when other methods of communication would be more effective (some examples are provided). Clear and simple language should also be used (which is not always easy when complex technologies and processes are being used).

5. Consultation – Before rolling out a new privacy policy, organisations should seek the input of its intended audience to test the effectiveness of the policy. This helps the organisation to test: (i) whether individuals understand the policy; (ii) if it is clear and appropriate to the audience; and (iii) whether it contains any errors.

The Code also includes a privacy notice checklist covering key points to help ensure business draft notices effectively.

Compliance with the approach and good practice recommendations in the Code will help organisations to meet the enhanced privacy notice requirements set out in the General Data Protection Regulation (GDPR). Although organisations will still need to include further information in their privacy notices (listed in the GDPR section of the code/Articles 13 and 14 of the GDPR) to fully comply. The Information Commissioner has said it is extremely likely that the GDPR will start to apply before Britain leaves the European Union and, in any event, businesses will need to comply to do business in the EU.

According to an ICO survey conducted earlier this year, only one in four adults trust businesses with their personal data. Businesses clearly have a lot of work to do to build customer trust and transparency is an excellent starting point. For more information on how we can help you craft an innovative, GDPR-compliant privacy notice, please contact a member of our team.

• Share this blog

• Twitter
• Facebook
• Linkedin