UK General Data Protection Regulation (UK GDPR)

Under the UK General Data Protection Regulation (UK GDPR), you need to give individuals certain information when processing their personal data. This information is known as 'privacy information'. It's advisable to document this information in a 'privacy notice'.

What is a privacy notice under UK GDPR?

A privacy notice is a public statement that informs people how you collect, process and use their personal data. It ensures that individuals understand what happens to their data in accordance with their right to be informed.

Before drafting your privacy notice, identify the personal data you have and how you use it. You might need to carry out an information audit or data mapping. Make sure to communicate privacy information clearly, honestly and openly with the individuals.

What to include in your GDPR privacy notice?

The UK GDPR outlines the categories of information and details required in your privacy notice. Key components of a privacy notice include:

• Who is collecting the data?
• What type of data are you collecting?
• How and why are you collecting it?
• What is the purpose and the lawful basis for processing the data?
• Who can access the information?
• Will you share the data with any third parties?
• Will you transfer the data abroad?
• What safeguards will you put in place for the security of this data?
• How will you use the information?
• How long will you store the data for?
• What rights does the data subject have, including to withdraw consent?
• How can the individual raise a complaint?
• Will you be making automated decisions about the individual, including profiling?

What you need to tell people varies depending on whether you collect their data directly or from another source. The Information Commissioner's Office (ICO) provides detailed guidance on what information you must include in your privacy notice.

When to provide privacy information under UK GDPR?

Under the UK GDPR, timing requirements mandate that you provide privacy information at the time of data collection if:

• you collect information directly from individuals (eg when they fill out a form)
• you collect data by observation (eg using CCTV or online tracking)

This is generally done when securing consent or outlining legitimate interests to individuals.

If you obtain personal data from a third party or a public source, you must provide privacy information within a reasonable timeframe, but no later than one month.

For example:

• if you plan to contact the individual using their data, give privacy information during the initial contact
• if you plan to share data with others, provide a privacy notice with details about the sharing before disclosing the data

If you plan to use personal data for any new purposes, update your privacy information and inform individuals about the changes.

Best practices for providing privacy information under UK GDPR

There are several ways to provide privacy information, including:

• layered notices - short notices with key privacy details and links to more detailed information
• just-in-time notices - providing information at certain points of data collection (eg during a purchase)
• icons and symbols - visual cues showing data processing activities
• dashboards - tools that show how you use data and allow people to manage their preferences
• smart device features - eg pop-ups, voice alerts and gestures on mobile devices

A blended approach, using multiple methods, is often most effective.

Tools and templates for creating a GDPR-compliant privacy notice

You can use our sample privacy notice and customise it to match your business needs and data processing activities.

You can also use the ICO's privacy notice generator tool, which is ideal for small businesses, sole traders and community groups. Other templates are available online but make sure that any template you use is GDPR-compliant and customised to your data practices.