Data Protection Toolkit - Write a Privacy Notice
The concern for transparency and the individual's right to be informed means that you need to communicate your processing activities to your data subjects.
A privacy notice is the most common way to achieve this. It is not the only option, and in some cases you might choose to give the information in a different way, such as giving a short notice about a specific piece of information collected from a person.
This checklist makes sure that your privacy notice covers all the required information you need to include.
How do we write a privacy notice?
Your approach will depend on who you data subjects are, as well as how you collect information.
The Regulation states that the information must be provided in a "concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child" (Article 12(1)).
So a privacy notice should definitely not be written like a legal agreement. It's purpose is to provide information transparently, and if people don't feel like they've been properly informed, you may be breaching their rights. The notice should be written in a way so that your intended audience is able to understand it.
If your data subjects are children, then write the privacy notice in a way that they would be able to understand it. If you obtain consent from a parent on behalf of a child, you can provide two privacy notices: one for the parent and one for the child.
If the lawfulness of your processing is based on legitimate interests, you should state what those interests are. You should have undertaken a Legitimate Interests Assessment in pursuit of this, so include a short summary of the reasoning behind your decision.
Can we just copy someone else's privacy notice?
Generally speaking, this isn't a good idea. Your privacy notice must be suited to how your organisation use personal information. If you don't feel you're ready yet to express how you collect and use data for yourself, then using another notice isn't going to help inform your subjects.
It may be that you end up including information that isn't relevant to your activities and is therefore misleading or commits you to something that you aren't willing to do. Or, even worse than that, you leave out information about an important processing activity that should be included.
By all means do some research and look for good (and bad) examples of privacy notices before you start writing your own. But keep in mind that you will be doing most of the writing.
We provide a privacy notice template to help you get started. It contains highlighted copy that you will need to change so that your own processing activities and practices are reflected. For example, you will need to insert your own organisation's name and contact details. You will also need to think about what groups of data subjects you hold data about and what lawful basis you have for processing their data.
We have added some general prompts to the template, but if you are processing information about children or involving criminal offence data you may want to consider taking specialist advice. The template is designed to cover the privacy information requirements of the GDPR, but there may be some areas that don't apply to your work (e.g. transfers to third countries) or extra commentary that you think would be sensible to add.
As a rule of thumb, when you are drafting your privacy notice think "what would I want to be told if it was my data being processed?"