This post helps you understand privacy policies, privacy notices and what you need to do in this area to comply with the GDPR.
As with our other data protection resources, we have tried to decode the guidance provided by the Information Commissioner’s Office ('ICO' - the government body that oversees data protection in the UK) and interpret it in a way that helps small charities understand the key provisions and adopt a proportionate response considering their own size and audience.
This all comes with the important caveat that we are not lawyers! We support small charities with practical no-nonsense guides to communicating well online. So these resources should save you a lot of time but it’s prudent to get a lawyer to check them over too.
As we discussed in our guide to GDPR and data protection for small charities, the new data protection legislation adds clarity to many requirements that already existed. One such area is privacy notices and policies. The key term used in the legislation and guidance is ‘privacy notice’ but this is a slippery term that has given rise to a lot of confusion.
Previously, lots of organisations published ‘privacy policies’ but the terminology in GDPR has left organisations wondering whether they should rename their policies. However, as we explain below, these terms are describing two different things.
According to the ICO the term ‘privacy notice’ is used to:
In contrast, each time you collect data from someone you need to think through your ‘privacy notice’. This term explains the individual’s particular experience when they give you data.
The underlying principle seems clear:
How to deliver privacy notices
In general terms you need to explain:
According to the ICO, It’s fine to require an individual to go and find privacy info when their data is being used for a purpose that a reasonable person might expect to be necessary, such as using their address details to send them a product they have ordered.
The ICO guidance on active notices is not prescriptive (i.e. you’ll still need to interpret it for your situation) but it is clear and concise so we’ll quote it here:
“The need to actively provide privacy information is strongest where:
- you are collecting sensitive information;
- the intended use of the information is likely to be unexpected or objectionable;
- providing personal information, or failing to do so, will have a significant effect on the individual; or
- the information will be shared with another organisation in a way that individuals would not expect.”
So what documents do you need?
Documents alone do not achieve compliance. The GDPR is, in large part, about providing individuals with more transparency. So as a small charity you should think about your documents as a toolkit to help you improve the experience of individuals who engage with your charity.
This list sets out the key tools you should have in place. Items 1 and 2 are standalone documents and items 3 & 4 are snippets of text that will change dependent on the context in which they are shown.
1. Data Protection Policy
This is an internal document explaining how you as a charity ensure you will manage data responsibly in a way that continues to comply with data protection legislation. For more on this read this post and associated template on data protection policies.
This document contains a complete public statement about how your organisation deals with personal data.
3. Consent statement
For the purpose of direct marketing (i.e. sending people updates about your work or requests for support), you are likely to rely on consent as your ‘lawful basis’ for processing this data. The consent statement answers the question ‘what am I signing up for?’ It should be clear and specific but you should also think broadly about the future because if you change this statement and the materials you send out your old consents may become invalid.
4. Supplementary privacy notice
These supplementary notices deal with the situation where, due to the nature of data being collected, you need to flag up information more actively about how you will handle the information. Passive and active notices are discussed more in the previous section.
Passing data to third parties
Thankfully, the ICO has made it clear that you do not have to include details of all third parties. The key distinction is whether third parties are Data Processors or Data Controllers. These terms can be a little confusing since under the GDPR both data processors and data controllers ‘process’ data.
A Data Controller determines the purposes and means of handling personal data. When you collect data from people you will normally be the data controller. If you pass data to another data controller this is a big deal. Examples of third-party data controllers are organisations to whom you refer clients or to whom you pass on data for the purposes of marketing. Where you do this you must almost always seek active informed consent that names the data controller to whom you’ll be passing data.