Is your Privacy policy GDPR ready?

With the General Data Protection Regulations (GDPR) coming into force later this month, organisations need to take steps now to be ready ahead of the 25 May deadline. One key action is to review and update the organisation’s Privacy policy.

What does a Privacy policy need to include to be GDPR compliant?  The GDPR (articles 13 and 14) explicitly requires data controllers to inform data subjects the following:-

  • the data controllers identity and contact details;
  • details of the data protection offer/manager;
  • the purpose and legal basis for processing;
  • if the legal basis for processing is legitimate interest, what that interest is;
  • recipients, or categories of recipients of the personal data;
  • if there is a statutory or contractual requirement for the data subject to provide personal data, what the consequences are for failing to do so;
  • the data controller’s source of the personal data, if it has not been provided directly to the data controller by the data subject;
  • the data subjects’ rights;
  • how long the personal data will be retained, if no time frame can be provided how the retention period will be calculated;
  • if any automated decision making is being carried out and information about such decisions; and
  • whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data.

If you need any help or guidance to help you to prepare for the upcoming GDPR, please contact our
Kathryn Hirst or Catherine Addley who will be happy to help you.