Should we test, review and update our privacy information?
In more detail
- What should we do before we deliver our privacy information to people?
- What should we do after we deliver our privacy information to people?
- What if we want to use personal data for a new purpose?
What should we do before we deliver our privacy information to people?
Carrying out user testing will provide useful feedback on draft privacy information. This is where you select a sample of your customers and ask them to access and read the information to obtain their feedback on:
- how they accessed it;
- if they found it easy to understand;
- whether anything was difficult, unclear or they did not like it; or
- if they identified any errors.
Asking your customers to do this will help you improve the effectiveness of your delivery of the information. You are likely to come up with a far more useful and engaging approach if you consider feedback from the people it is aimed at.
Example
You plan to deliver privacy information to people based on assumptions you made about a user’s journey around your website. However, during your user testing you identify that people are often directed to a specific page of your website straight from a third party search engine and therefore miss some of the information supplied on your homepage. Having identified this, you ensure that your privacy information is correctly connected together so that individuals do not miss anything important. For instance, you provide a link to more detailed information in all your just-in-time notices so that an individual can see the important message at that point in the journey but can also refer to further information to see if they have missed anything.
Having made any changes to the content and delivery of your privacy information as a result of user testing, you are then ready to roll it out using the tools and approaches you have selected.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.
WP29 adopted guidelines on Transparency, which have been endorsed by the EDPB.
What should we do after we deliver our privacy information to people?
You need to regularly review the information to:
- check that it actually explains what you do with individuals’ personal data;
- ensure that it remains accurate and up to date; and
- analyse complaints from the public about how you use their personal data and in particular any complaints about how you explain your use of it.
What if we want to use personal data for a new purpose?
If you plan to use personal data for a new purpose, you need to tell people about this before you do so. In these circumstances, you must update your privacy information to reflect what you intend to do with people’s data, and proactively bring this change to their attention before you start any new processing. In particular, you must provide people with information on the new purpose for processing, along with any relevant further information concerning:
- your retention period for the personal data that you are processing for the new purpose;
- the rights available to individuals in respect of the new processing;
- the right to withdraw consent for the processing;
- the right to lodge a complaint with a supervisory authority;
- the source of the personal data (if you obtained it from a source other than the individual);
- the details of whether individuals were under a statutory or contractual obligation to provide the personal data (if you collected it from the individual); and
- the details of the existence of automated decision-making, including profiling (if it is solely automated and has legal or similarly significant effects).
If you do not obtain consent for the new processing, as well as updating your privacy information, you must also take into account the purpose limitation principle. This means making an assessment of whether what you plan to do is compatible with the original reason you collected or obtained the personal data.
Further reading – ICO guidance
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.
WP29 published the following guidelines which have been endorsed by the EDPB: