The GDPR requires you to tell your customers how you will use their data, who you may share it with, how long you will keep it, in clear and concise terms that can be understood by humans. This needs to be detailed in your Privacy Statement and relevant security policies.
Personal data processing must be:
concise, transparent, intelligible and easily accessible
written in clear and plain language, particularly if addressed to a child
free of charge
The ICO states,
“being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”
What’s more, the information you should provide is changing too. The lawful basis for your data processing, such as how long you’ll keep the data for and the user’s right to complain, are all pointed to in the GDPR. The following questions should be considered when writing a privacy notice:
What information is being collected?
Who is collecting it?
How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
What will be the effect of this on the individuals concerned?
Is the intended use likely to cause individuals to object or complain?
So, what does a privacy notice look like? It’s not as lengthy as the questions above may suggest, in fact it chiefly tackles what will be done with personal data, by whom, and who it will be shared with. The privacy notice is part of obtaining consent from the user (or telling them about legitimate interests, for example), and is presented at the point of data collection.