• 14 Dec 2023
• •
• 2 min read

Data Protection - What is a privacy notice, why does my organisation need one and what information do we need to include?

If your organisation collects, holds and/or uses personal data (for example names, addresses, telephone numbers or email addresses about employees, customers or suppliers) in any way then the organisation will need to have one or more privacy notices in place (you may see privacy notices called other names, for example, ‘privacy information’ or a ‘fair processing notice’ which all mean the same thing in practice).

A privacy notice explains a number of things to an individual whose personal data the organisation is collecting, including:

1. why the organisation needs their personal data
2. what the organisation plans to do with the personal data which it collects the organisation’s lawful bases for holding and using the personal data
3. how long the organisation will keep the personal data (we call this the retention period)
4. if the organisation will share the personal data with a third party (e.g. another organisation which assists it in providing its services)
5. whether any of the personal data will be transferred outside of the UK and if so, the safeguards put in place to protect the personal data
6. the individuals’ personal data rights, such as the right to access personal data
7. how the individual can complain to the Information Commissioner’s Office (the UK’s data protection regulator)

This means that the privacy notice cannot be an ‘off the shelf’ document and it is not a case of just adopting a standard template. Instead a privacy notice must be tailored to the specific personal data an organisation collects and how it processes that information as processing outside of what is detailed in the privacy notice will not be lawful as it will not have been done in a manner which is transparent.

Finally it is important that the privacy notice is available to the individual at the time they are being asked to provide the personal data to the organisation. For example, if your organisation sells goods via a website then the website will request contact and delivery information and also payment information. Therefore before the order is submitted by the customer on your website, the customer should have the organisation’s privacy notice brought to their attention so that they can read it (if they wish) and make an informed decision as to whether to proceed with providing your organisation their personal data by placing the order.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].