• 2 min read

Our organisation has a privacy notice which was produced when the GDPR came into force in 2018. Do we need to update it?

Cybersecurity and data protection concept. AI generated

The short answer to this question is yes, for two main reasons:

(a) Data protection law in the UK has evolved since the GDPR came into effect in 2018 (over 5 years ago!). Firstly, the UK has left the EU and we now talk about the “UK GDPR” rather than just “the GDPR” and the UK GDPR is technically different to what we may now refer to as the “EU GDPR” for ease of reference. Whilst the UK GDPR is currently broadly in line with the EU GDPR (there are reforms expected in spring 2024, although they are far from revolutionary) there are some practical differences and, for example, international transfers are different as we now need to consider transfers outside of the UK as being international transfers, not transfers outside of the EEA. Also case law and guidance in relation to the EU GDPR doesn’t apply to the UK GDPR (although it is considered useful). The application of data protection law has also evolved since 2018, with many cases being decided in courts and also new guidance on the application of data protection legislation being published (for example by the UK Information Commissioner’s Office). This has necessitated some changes to privacy notices, for example, the need to include more information about third parties to whom a data controller transfers personal data.

(b) The way your organisation uses personal data has in all likelihood evolved and changed. It is important to keep your organisation’s personal data processing activities under constant review and in doing so your privacy notice should be reviewed to see whether any changes are required. For example:

(i) if your organisation traditionally only dealt with sales to business customers but you have started selling direct to consumers, this will impact on your privacy notice;

(ii) if your organisation starts offering a new service to customers which necessitates the collection of medical information relating to customers which you didn’t previously collect or need, this will impact on the content of the privacy notice; or

(iii) if your organisation sets up a new subsidiary company, this may impact on the content of the privacy notice (for example if  personal data will be shared between the two companies) and the new subsidiary company should also have a privacy notice if it is processing personal data.

So like data protection impact assessments and legitimate interests assessments, privacy notices are evolving documents; they cannot be put in place and never considered again. What is key is that when an individual provides personal data to your organisation they should be able to read your privacy notice and understand how their personal data will be used and the way in which they are informed and the detail they are provided with complies with current data protection law requirements.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away

Make an enquiry