GDPR – How much to disclose in your privacy policy
The General Data Protection Regulation (GDPR) requires you to disclose certain information to people whose data you collect, use, store or otherwise “process”.
The Regulation does state what does need to be disclosed. However, it isn’t prescriptive, which has led to much confusion as exactly what level of detail to provide in a privacy notice.
There is uncertainty in three particular areas.
What data is in the scope of the Regulation?
The scope of the GDPR is personal information; that is information that could identify an individual. Context is important in deciding what personal information is.
There is some information that clearly identifies with an individual. Payroll information that lists salary by name would constitute personal information, as would salary by job title, if job titles could identify to whom salaries were paid.
Then there is information that identifies an individual only through context. Maternity pay for the business would be personal information if it were known that it related to one specific person. Maternity pay if there were several people on maternity leave over the same period might not be personal.
Distinguishing personal data becomes more difficult when there could be multiple contexts. Information relating to sole traders is an excellent example. Where information such as name and contact information is used for business, it falls outside the scope of GDPR. However, that same information might be equally used for personal reasons as well (certainly a name, and possibly a mobile telephone). Here it is not only necessary to consider what data is processed, but the context in which it is.
Similarly, information about employees is likely to be in the scope of GDPR. If you have a database that gives Mary as the customer support representative for a supplier, that is probably business data and out of scope. As soon as anything further that is personal to Mary is known (such as an e-mail conversation between you that tells you what she did at the weekend), that becomes personal data and within scope.
Categories of data, purpose and grounds for processing
GDPR only requires you to identify categories of personal data, and for each the lawful basis on which it is processed, and the purpose for processing.
The Regulation doesn’t specify how granular the information must be. At first, it may seem best to be as transparent as possible by being very specific.
However, the more specific you are, the more you confine yourself to that data or those uses. We believe the ideal balance is probably to use a reasonably wide description of a category of data (such as “contact information”) and then give specific examples as to what may be in that category (such as “telephone number and e-mail address”).
To make disclosure decisions a little more difficult, if the data subject provides you with his or her own data, you are not required to set out what this is.
In the case of data processed to carry out a contract, the categories of data, the basis and the purpose are likely to be the same. For example, the information that is given in order to allow you to perform your service (category and purpose) is likely to be processed under Contract (basis). Given that the majority of information is likely to have been given by your client, there probably isn’t much other information to disclose (to that data subject, although there might be to other related parties).
Sometimes it won’t be known what data will be processed and therefore you will not be able to be specific at all. For example, your client may be subject to a tax investigation. What information HMRC will request is unknown when you write your privacy policy, but whatever information it is will be processed (handed over) on the basis of Legal Obligation.
A last consideration on this point is that if any data subject is interested to know the specific details of what information you hold about him or her, and the basis for processing, he or she has a right to ask you. So the GDPR gives an opportunity to be specific if specificity is required. As a side note, interestingly, there are situations that don’t require you to fulfil this request.
Cookies
Cookies are a way of collecting and reading data between webpages. They are small files, placed by a web-browser through a user action on one webpage, and read or modified on another. Commonly they are used for tracking behaviour (such as the order of webpages visited), or for recording information between webpages (such as storing the answers to a set of questions on one page, for use on another).
Cookie policies have come about because at one time there was concern about their use. However, the GDPR doesn’t require any more special treatment of cookies than of any other method of data use – that is categories of data, purpose and grounds for processing. There is actually no requirement for specifically mentioning that you use cookies. Some of the data you collect using them could also be collected by other means.
If you do mention use of cookies, which is probably something that still interests data subjects, you can disclose this within your privacy policy – there doesn’t need to be a separate cookie policy page.
Nor does the depth of information you provide about cookies need to be great – just sufficient.
Cookies are an example of something about which too much information might be less useful than too little. Developers can change the parameters of cookies, such as what they do or when they expire relatively often. Many developers are third parties (for example Google, in providing its website Analytics software). Such changes can be made without telling you, requiring you to audit your cookie use often. It could be argued that detailed information that is incorrect is less useful than more generalised data that is correct. You could also argue that the average reader of your privacy policy is not interested in exactly what your cookie filenames exactly are, or what their expiry dates are, just whether you use them and briefly why.
In summary
Like so many other information disclosures (such as the many in accounting) there is a balance between disclosing too little and too much. When writing your privacy policy, what you need to ensure is that your communication of it is concise and transparent.
