The General Data Protection Regulation (GDPR) requires you to disclose certain information to people whose data you collect, use, store or otherwise “process”.
The Regulation does state what does need to be disclosed. However, it isn’t prescriptive, which has led to much confusion as exactly what level of detail to provide in a privacy notice.
There is uncertainty in three particular areas.
What data is in the scope of the Regulation?
The scope of the GDPR is personal information; that is information that could identify an individual. Context is important in deciding what personal information is.
There is some information that clearly identifies with an individual. Payroll information that lists salary by name would constitute personal information, as would salary by job title, if job titles could identify to whom salaries were paid.
Then there is information that identifies an individual only through context. Maternity pay for the business would be personal information if it were known that it related to one specific person. Maternity pay if there were several people on maternity leave over the same period might not be personal.
Distinguishing personal data becomes more difficult when there could be multiple contexts. Information relating to sole traders is an excellent example. Where information such as name and contact information is used for business, it falls outside the scope of GDPR. However, that same information might be equally used for personal reasons as well (certainly a name, and possibly a mobile telephone). Here it is not only necessary to consider what data is processed, but the context in which it is.
Similarly, information about employees is likely to be in the scope of GDPR. If you have a database that gives Mary as the customer support representative for a supplier, that is probably business data and out of scope. As soon as anything further that is personal to Mary is known (such as an e-mail conversation between you that tells you what she did at the weekend), that becomes personal data and within scope.
Categories of data, purpose and grounds for processing
GDPR only requires you to identify categories of personal data, and for each the lawful basis on which it is processed, and the purpose for processing.
The Regulation doesn’t specify how granular the information must be. At first, it may seem best to be as transparent as possible by being very specific.
However, the more specific you are, the more you confine yourself to that data or those uses. We believe the ideal balance is probably to use a reasonably wide description of a category of data (such as “contact information”) and then give specific examples as to what may be in that category (such as “telephone number and e-mail address”).
To make disclosure decisions a little more difficult, if the data subject provides you with his or her own data, you are not required to set out what this is.
In the case of data processed to carry out a contract, the categories of data, the basis and the purpose are likely to be the same. For example, the information that is given in order to allow you to perform your service (category and purpose) is likely to be processed under Contract (basis). Given that the majority of information is likely to have been given by your client, there probably isn’t much other information to disclose (to that data subject, although there might be to other related parties).
A last consideration on this point is that if any data subject is interested to know the specific details of what information you hold about him or her, and the basis for processing, he or she has a right to ask you. So the GDPR gives an opportunity to be specific if specificity is required. As a side note, interestingly, there are situations that don’t require you to fulfil this request.
Cookies are a way of collecting and reading data between webpages. They are small files, placed by a web-browser through a user action on one webpage, and read or modified on another. Commonly they are used for tracking behaviour (such as the order of webpages visited), or for recording information between webpages (such as storing the answers to a set of questions on one page, for use on another).
Nor does the depth of information you provide about cookies need to be great – just sufficient.