A short guidance note explaining the GDPR obligations on businesses with regard to the information to be provided to individuals whose data they may be processing and containing a link to the ICO’s Privacy Notices Code of Practice.
Under the GDPR, individuals have a right to be informed about how their personal data is being used. This means that “data controllers” must provide ‘fair processing information’, typically in the form of a privacy notice.
In particular, the GDPR emphasises the need for transparency over how you use personal data when your agency acts as a data controller and you process personal data for your own purposes. This applies whether you are collecting personal data about employees, job applicants, the staff of clients or business partners, or even consumers if you are using their data for your own purposes (such as where you are building a proprietary agency-owned database).
The GDPR sets out the information that you should supply and when individuals should be informed. Some of the information you need to supply is already required under existing data protection law (such as your identity and how you intend to use their information). However, the GDPR requires some additional information to be provided. For example, the GDPR requires you to explain your “lawful basis” for processing the data (e.g. you have the individual’s consent or the processing is necessary for your agency’s legitimate interests); your data retention periods; and that individuals have a right to complain to the ICO. The information supplied in privacy notices must be concise, transparent, intelligible and easily accessible.
You should think about all the situations and points at which your agency collects personal data as a data controller. You should then ensure appropriate privacy notices are made available to cover all of these situations. You should also review your current privacy notices and put a plan in place for making any necessary changes in time for the GDPR. This includes the privacy notices you make available to job applicants and current employees, the privacy notices on your agency website, and the privacy notice of any digital products which your agency makes available to consumers as a data controller in its own right.
It is important to note that the requirement to provide a privacy notice only applies to the “data controller”. This means that it will not apply to your agency where you are acting as a “data processor” and processing personal data on a client’s behalf. It may be that a client requests that your agency drafts a privacy notice – for example if your agency is creating a campaign website or an app for a client. However, we would strongly recommend against agencies drafting privacy policies for their clients. As mentioned above, the regulatory responsibility sits with the client in this area, it should therefore be the client, and not the agency, who drafts the relevant privacy notice.
The IPA webinars give further guidance as to how to create privacy notices. At this stage the IPA has not published template privacy notices for agencies to use because of the range of situations in which they might apply and the variety of forms privacy notices can take. However, the IPA may publish further guidance in this area in due course.
In the meantime, you should refer to the ICO’s Privacy Notices Code of Practice which reflects the new requirements under the GDPR and provides helpful guidance regarding how to write privacy notices.