What types of data protection risk are there?

Data protection risks come in all shapes and sizes. They are not always easy to identify. How do we know what to look for and how serious they could it be?

There are risks to individuals (e.g. employees, customers, patients, clients etc) which are paramount under data protection laws. But there are also commercial and reputational risks for businesses relating to their use for data.

Risks could materialise in the event of a data breach, failure to fulfil individual privacy rights (such as a Data Subject Access Request), complaints, regulatory scrutiny, compensation demands or even class actions.

We should recognise our service & technology providers, who may handle personal data on our behalf, could be a risk area. For example, they might suffer a data breach and our data could be affected, or they might not adhere to contractual requirements.

International data transfers are another are where due diligence is required to make sure these transfers are lawful, and if not, recognise that represents a risk.

Marketing (either in-house, agency or tech platforms) could also be a concern, if these activities are not fully compliant with ePrivacy rules – such as the UK’s Privacy and Electronic Communications Regulations (known as PECR). Even just one single complaint to the regulator could result in a business finding themselves facing a PECR fine and the subsequent reputational damage.

The seven core data protection principles under UK and EU GDPRs are a great place to start when trying to identify where data protection risks may lie.

Data protection principles

1. Lawfulness, fairness and transparency

Is what we’re doing legal? Have we identified a suitable lawful basis, and are we meeting the conditions of this lawful basis? Is it fair and ethical? Are we being transparent about what we do in our privacy notices? See DPN Lawful Basis Guide

2. Purpose limitation

Are we only using personal data in the ways we told people it would be used for? We might want to use their data in new ways, but are these compatible with the original purpose(s) we gathered the data for? If we surprise people, they’ll be more likely to complain.

3. Minimisation

Are we collecting, using and holding onto more data than we actually need? Is some data collected and kept ‘just in case’ it might be useful in future?

4. Accuracy

Inaccurate or out-of-date personal information could lead to false assumptions which could come back to bite us.

5. Storage limitation

Hoarding data for longer than necessary could mean the impact of a data breach is much worse. Over-retention of people’s data could be exposed when handling a Data Subject Access Request, or an or Erasure Request. See DPN Data Retention Guidance

6. Information Security

Have we implemented robust security measures and controls to make sure personal data is protected, when at rest on our systems and when its transferred?

7. Accountability

Are we in a good position to defend what we do with the data? If scrutinised, do we have suitable records & evidence to demonstrate that we’ve taken data protection seriously? See Quick Guide to Data Governance

The lengths we go to try and embed these principles across our organisation will clearly differ depending on the sensitivity of personal data involved and what we’re using it for. When considered what security measures are appropriate, we should take a proportionate approach.

Some activities can automatically bring with them more risk. For example; handling special category data (such as health data, biometrics, sexual preference and ethnicity), collecting children’s data, using innovative technology such as AI and any activities which could result in an automated decision being made about someone.

We need to consider people’s privacy rights and have procedures in place to handle any requests we receive. For example, their right to be informed, right of access, right to object, right to erasure and so on. An inability to fulfil such requests may draw unwelcome attention.

In certain circumstances it’s mandatory to conduct a Data Protection Impact Assessment (DPIA). Conducting an assessment can often be useful, even if what you’re doing doesn’t fall under the mandatory criteria. It can help us to identify data risks from the outset so you can put measures in place to mitigate risks before they have any opportunity to become an issue. See DPN DPIA Guide.

Mistakes can happen

Here are some issues or gaps which could lead to data protection risks coming to the surface.

  • People-related risks – such as lack of training and lack of governance or ownership
  • Process risks – such as poor data handling procedures or manual processing on Excel / Sheets.
  • Technology risks – such as ineffective controls on core systems, or ineffective archiving/deletion processes.

If you don’t know where your risks lie, you won’t have a handle on how much risk the business is carrying. You may have several significant risks, but multiple low-level risks could also prove damaging.

Listen back to our online discussion: Managing and Assessing Data Protection Risks 

Privacy Notices Quick Guide

The right to be informed

All businesses need an external facing Privacy Notice, aka Privacy Policy, if collecting and handling people’s personal information.

Data protection law tells us we must provide people with easily accessible and specific privacy information when we collect their data. This guide sets out the key considerations and core requirements our Privacy Notices.

privacy notice guide from the data protection consultancy DPN - Data Protection Network

Top 10 Data Protection Tips for SMEs

January 2023

Is it onerous for SMEs to become compliant?

One of the stated aims of the UK Government’s Data Protection and Digital Information Bill is to support small businesses and remove unnecessary bureaucracy. 

As context, there are 5.6m businesses in UK of which SMEs (less than 250 employees) represents 99% of the total. According to IAPP research approximately 32,000 organisations in UK have a registered DPO. It’s right, therefore, to focus on SMEs. 

But how onerous is small business data protection now? Arguably, the answer is, not as onerous as you might think. We’ve created a top 10 checklist for start-ups and small businesses to help you decide what you should be concerned with: 

1.     Do I need to worry about data protection regulation? 

Yes. Pretty much any business processing personal data for commercial purposes need to worry about data protection. (It does not apply to purely ‘personal or household activity’). Having said that, the law and regulatory advice focuses on taking a ‘proportionate’ approach. There’s no one size fits all and it will depend on the risk appetite of your organisation. 

2.     Do I need a DPO?

Probably not. If the answer to these three questions is no, you don’t need a DPO…

  • Are you a public authority or body?
  • Do your core business activities require regular and systematic monitoring of individuals on a large scale?
  • Do your core business activities involve processing on a large scale ‘special category data’, or criminal convictions or offences data?

Even if you don’t need a DPO, it’s wise to nominate someone in your organisation as a data protection lead. This does not need to be a full-time role. Alternatively, you can outsource this activity to someone/a company who can provide the support on a part-time basis. 

3.     Do I need a RoPA (Record of Processing Activity)

Maybe. There’s no escaping the fact RoPAs are challenging documents to complete and can absorb a huge amount of time. Companies with more than 250 employees must always keep a RoPA – that’s just under 8,000 businesses in UK.

If you have less than 250 employees, you don’t need a RoPA if the following applies:

  • Processing does not pose a risk to the rights and freedoms of the data subject 
  • No special category data is being processed
  • If the processing is only done occasionally

The debate start when you consider what constitutes a ‘risk to the rights and freedom of the data subject’. It’s worth considering the type of data you handle rather than the volumes to help you decide whether to complete a RoPA. As a start up, you may not need a RoPA as defined in the legislation. However, having a record of what information is processed, for what purpose and under what lawful basis is a good idea even if the ICO RoPA form is not. 

There are changes afoot with regards to the RoPA under UK data reform plans, but a record of your activities may still be necessary, just not as current prescribed.

4.     Do I need to register with ICO?

Almost certainly YES. The ICO asks all businesses that process personal data to pay the Data Protection Fee. This is used to fund the ICO and its activities. This isn’t onerous. In fact, most small businesses will only have to pay £40 (or £35 with a direct debit). And that’s before you’ve considered whether you’re exempt. Not for profit status is a possible example. 

 5.     Do I need a privacy notice (policy)?

Yes. A privacy notice is a foundational piece of your data protection work. Any organisation which processes personal data needs to set out what data they are processing and how they are processing it as well as the data subject’s rights. The ICO’s checklist provides very clear guidance for what must be in a notice and what might be in a notice.

6.     How about a cookie notice?

Yes again. If you have a website, assume you need a cookie notice. Even if all you’re doing is using cookies to manage the performance of your website, a cookie notice is required. This does not need to cost money. You can get free software from the major privacy software providers. They have simple step by step set up guides. There is really no excuse not to have a cookie notice. 

7.     What about accountability?

Yes, but make it proportionate. In a nutshell, accountability means ‘evidencing your activities’. Keep a record of what you do, why you’re doing it and your decision-making. It also means making sure you have appropriate technical and organisational measures in place to protect personal data. Have staff been adequately trained in data protection? Do we have clear guidelines and/or policies to help them? 

8.     What about Individual Rights? 

Yes. Every individual has clear rights and irrespective of the size of the organisation you need to fulfil these requests. 

These rights include right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.

Not all of these might apply to a small business but it’s important to decide how to recognise and respond to these requests from individuals. 

9.    Don’t forget information security

Yes. Cyber Essentials was designed for SMEs. Arguably it’s the absolute minimum for any business. It does cost money but not a lot. Gaining the Cyber Essentials certification (if self-certified) costs £300. The five technical controls are: 

  • Boundary firewalls and internet gateways
  • Secure configuration.
  • Access control.
  • Malware protection.
  • Patch management.

10.  What about International Data Transfers? 

Hopefully no! If you and your suppliers are only operating in UK and Europe stop reading now. However, if any data is exported to a third country (such as USA, South Africa or India), there’s no escaping the fact that international data transfers can be painful to work through. 

When EU-US Privacy Shield was invalidated in 2020 this caused significant problems for data transfers between US and EU/UK. At the time, Max Schrems’ advice was to only work with companies based in UK or Europe who are not exporting data to third countries. However, this isn’t always possible – just consider how many people use Google, Microsoft or Mailchimp. 

Many, if not most, businesses will have dealings with these three and the reality is that you must accept they’re not going to change anything for you, or choose not to use them. 


Many small and start-up businesses can get ready relatively quickly. The trick for small business data protection is to review your arrangements on a regular basis and be aware if any more complicated processing emerges. For instance, anything involving automated processing, special category data, AI or children’s data carries significant risk and should be treated with care. 

There’s more helpful information available on the ICO’s Small Business Hub.

Data Protection Basics: The 6 lawful bases

November 2022

A quick guide to the six lawful bases for processing personal data

One of the fundamental data protection principles is that our handling of personal data must be ‘lawful, fair and transparent’. To be lawful, clearly, we shouldn’t do anything illegal in general terms. But what else does it mean to be lawful?

We’re given six lawful bases to choose from under UK/EU GDPR. For each purpose we use personal data for, we need to match it with an appropriate lawful basis.

For example a purpose might be:

  • Sending marketing emails to our customers
  • Profiling our audience to better target our marketing
  • Handing staff payroll data to pay salaries
  • Handling customer enquiries about our services
  • Delivering a product a customer has requested
  • Implementing measures to prevent fraud

We need to select the most appropriate lawful basis and meet its own specific requirements. Each basis is equally valid, but one may be more appropriate than others for any specific task. We’re legally obliged to set out the lawful bases we rely on in our privacy notices.

If none of them seem to work, you may want to question whether you should be doing what you’re planning to do.

Quick guide to the 6 lawful bases

(This is not intended to be exhaustive, do check the ICO’s Lawful Basis Guidance)

1. Contract

This lawful basis will be appropriate if you need to process an individual’s personal information to deliver a service to them. Or you need collect certain details to take necessary steps before entering into a contract or agreement.

Example 1: An individual purchases a product from you and you need to handle specific personal information about them in order to deliver that product, including when you acknowledge their order, provide essential information, and so on.

Example 2: Someone asks you to give them a quote for your services, and you need certain information about them in order to provide that quote.

Contract tips:

  • It doesn’t apply to other purposes you may use the data for which are not essential.
  • It’s most likely to be used when people are agreeing to T&Cs, although it can also be used where a verbal agreement or request for information is made.
  • The person whose data you’re processing must be party to the contract or agreement with you. It doesn’t apply if you want to process someone’s details, but the contract is with someone else, or with another business.

2. Legal obligation

There may be circumstances where you are legally obliged to conduct certain activities, which will involve processing personal data. This could be to comply with common law or to undertake a statutory obligation.

Example 1: You are offering a job to someone outside the EU. You need to check they have a visa to work in the UK, as this is a legal obligation.

Example 2: Airlines and tour operator collect and process Advance Passenger Information (API) as this is a legal requirement for international air travel.

Legal obligation tips

  • Legal obligation shouldn’t be confused with contractual obligations
  • Document your decision. You should be able to either:
    a) identify the specific legal provision you are relying on
    b) the source of advice/guidance which sets out your obligation.

3. Vital interests

You can collect, use or share personal data in emergency situations, to protect someone’s life.

Example: A colleague collapses at work, is unable to talk, and you need to tell a paramedic they have a medical condition. Common sense should prevail.

Vital interest tips

  • It’s very limited in scope, and should generally only apply in life and death situations.
  • It should only be used when you manifestly can’t rely on another basis. For example, if you could seek consent, you can’t rely on vital interests.

4. Public task

You can process personal data if necessary for public functions and powers that are set out in law, or to perform a specific task in the public interest.

Most often this basis will be relied upon by public authorities and bodies, but it can apply in the private sector where organisations exercise official authority, or carry out tasks in the public interest.

Public task tips

  • If you could reasonably perform your tasks or exercise powers in a less intrusive way this basis won’t be appropriate. The processing must be necessary.
  • Document your decisions, specify the task, function or power, and identify the statutory or common law basis.

5. Legitimate Interests

This is the most flexible lawful basis, but don’t just assume what you’re doing is legit. It’s most likely to be appropriate when you use people’s data in a way they’d reasonably expect. Where there is minimal impact on them, or where you have a compelling justification.

Legitimate interests must be balanced. You must balance the organisation’s interests against the interests, rights and freedoms of individuals. If your activities are beyond people’s reasonable expectations or would cause unjustified harm, their rights and interests are likely to override yours. Legitimate interests – when it isn’t legit

Legitimate Interests tips

  • Conduct and document a Legitimate Interests Assessment (LIA). This may be relatively simple and straight-forward, or more complex.
  • Consider whether you can provide people with an easy way to object. This is not essential in all situations (e.g. fraud protection).
  • Be open about where you rely on legitimate interests so its likely to be in people’s reasonable expectations.
  • Remember to include what your legitimate interests are in your privacy notice.
  • Check the ICO’s guidance on when legitimate interests can be relied upon for marketing activities.

6. Consent

This is when you choose to give individuals a clear choice to use their personal details for a specific purpose and they give their clear consent for you to go ahead. The law tells us consent must be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes given by a ‘clear affirmative action’.

Consent is all about giving people a genuine choice and putting them in control. They must be able to withdraw their consent at any time, without a detrimental impact on them.  Consent, getting it right.

Consent tips:

  • It should be clear what people are consenting to
  • Consent shouldn’t be bundled together for different purposes, each purpose should be distinct
  • It must not be conditional – people shouldn’t be ‘forced’ to consent to an activity as part of signing up to a service.
  • Consent is unlikely to be appropriate where there may be an imbalance of power. For example, if an employee would feel they have no option but to give consent to their employer (or might feel they could be penalised for not giving it).
  • The law sometimes requires consent. For example, under the electronic marketing rules consent is sometimes a requirement.

In summary, consider all the purposes you have for processing personal data. Assign a lawful basis to each purpose and check you’re meeting the specific requirements for each basis. Tell people in your privacy notice the lawful bases you rely on, and specifically explain your legitimate interests.

Finally, don’t forget, if you’re processing special category data (for example data revealing racial or ethnic origin, health data or biometric data) you’ll need a lawful basis, plus you’ll need to meet one of the conditions under UK GDPR Article 9.  For criminal convictions data you’ll need a lawful basis, plus one of the conditions under UK GDPR Article 10.

Data Protection Basics: The 7 data protection principles

November 2022

Understanding the key principles of data protection

Let’s get back to basics. There are seven core principles which form the foundation of data protection law. Understanding and applying these principles is the cornerstone for good practice and key to complying with UK / EU GDPR.

Here’s our quick guide to the data protection principles.

1. Lawfulness, fairness and transparency

This principle covers 3 key areas.

a) Lawfulness – We must identify an appropriate ‘lawful basis’ for collecting and using personal data. In fact, we need to decide on a lawful basis for each task we use personal data for, and make sure we fulfil the specific conditions for that lawful basis. There are 6 lawful bases to choose from.

We need to take special care and look to meet additional requirements when using what’s termed ‘special category’ data or data which relates to minors or vulnerable people.

We should also be sure not do anything which is likely to contravene any other laws.

b) Fairness – We must only use people’s data only in ways that are fair. Don’t process data in a way which might be unexpected, discriminatory or misleading. This means evaluating any adverse affects on individuals.

c) Transparency – We must be clear, open and honest with people about how we use their personal information. Tell people what we’re going to do with their personal information. Routinely this is achieved by providing relevant privacy information at the point data is collected, and by publishing a complete and up to date privacy notice and making this easy to find. Transparency requirements apply right from the start, when we collect or receive people’s data.

2. Purpose limitation

This is all about only using personal details in the ways we told people they’d be used for. We must be clear about what our purposes for processing are and specify them in the privacy information we provide to individuals.

Sometimes we might want to use personal data for a new purpose. We may have a clear legal obligation to do it, but if not we should check the new purpose is compatible with the original purpose(s) we had for that data. If not, then we may need to secure the individual’s consent before going ahead.

Remember, if we surprise people, they ‘ll be more likely to complain.

3. Data minimisation

We must make sure the personal data we collect and use is:

  • Adequate – necessary for our stated purposes. Only collect the data we really need. Don’t collect and keep certain personal information ‘just in case’ it might be useful in future.
  • Relevant – relevant to that purpose; and
  • Limited to what is necessary – don’t use more data than we need for each specific purpose.

4. Accuracy

We should take ‘all reasonable steps’ to make sure the personal data we gather and hold is accurate, up-to-date and not misleading.

It’s good practice to use data validation tools when data is captured or re-used. For example, validate email addresses are in the right format, or verify postal addresses when these are captured online.

If we identify any of the personal information we hold is incorrect or misleading, we should take steps to correct or delete it promptly.

Data accuracy can decline over time. For example, people change their email address, move house, get married or divorced, their needs and interests change. And of course some people on your database may pass away. So we need to consider ways to keep our data updated and cleansed.

Perhaps find ways to give people the opportunity to check and update their personal details?

5. Storage limitation

Don’t be a hoarder! We must not keep personal data longer than necessary for the purposes we have specified.

Certain records need to be kept for a statutory length of time, such as employment data. But not all data processing has a statutory period. Where the retention period is not set by law, the organisation must set an appropriate data retention period for each purpose, which it can justify.

The ICO would expect us to have a data retention policy in place, with a schedule which states the standard retention period for each processing task. This is key step to making sure you can comply with this principle.

When the data is no longer necessary, we must destroy or anonymise it, unless there’s a compelling reason for us to keep it for longer. For example, when legal hold applies. For more information see our Data Retention Guidance.

6. Security

This is the ‘integrity and confidentiality’ principle of the GDPR – often known as the security principle. This requires organisations to make sure we have appropriate security measures in place to protect the personal data we hold.

UK / EU GDPR talks about ‘appropriate technical and organisational measures’ (known as TOMs). These includes things like physical and technical security measures, conducting information security risk analyses, having information security policies & standards in place to guide our staff.

Our approach to security should be proportionate to the risks involves. The ICO advises us to consider available technology and the costs of implementation when deciding what measures to take.

Some of the basics include transferring data securely, storing it securely, restricting access to only those who need it and authenticating approved data users.

Cyber Essentials or Cyber Plus can be helpful as an assurance framework to carry out a review of your data security arrangements.

Controllers should consider information security standards when appointing and managing relationships with processors, i.e. service providers handling personal data on your behalf to provide their services. Are your processors securely handling their processing of the data you control? Carry out appropriate due diligence to make sure.

7. Accountability

The accountability principle makes organisations responsible for complying with the UK / EU GDPR and says they must be able to evidence how they comply with the above principles.

This requires data governance across the organisation. Think of accountability as a collective responsibility, flowing from the Executive team and down through to the teams that process personal data.

To demonstrate how we comply, we need to have records in place. For many organisations this will include a Record of Processing Activities (RoPA).

The ICO provides a useful ‘Accountability Framework’ we can use to benchmark performance against their expectations.

In summary, identify the lawful bases you’re relying on and be fair and be open about what you do. Minimise the data you collect and make sure it remains accurate over time. Always keep it secure and don’t keep it for longer than you need it. Take care if you want to use personal data for a new purpose. Keep records and be ready to justify your approach.  The ICO has published more detailed guidance on the seven principles.

Controller or processor? What are we?

November 2022

Are you a service provider acting as a processor? Or a controller engaging a service provider? Is the relationship clear?

There are a few regulatory cases which remind us why it’s important to establish whether we’re acting as a controller or a processor, and to clearly define the relationship in contractual terms.

On paper the definitions may seem straight-forward, but deciding whether you’re acting as a controller, joint-controller or processor can be a contentious area.

Two regulator rulings to note

  • The ICO has taken action against a company providing email data, cleansing and marketing services. In the enforcement notice, it’s made clear the marketing company had classified itself as a processor. The ICO disagreed.
  • The Spanish data protection authority (AEPD) has ruled a global courier service was acting as a controller for the deliveries it was making. Why? Largely due to insufficient contractual arrangements setting out the relationship and the nature of the processing.

Many a debate has been had between DPOs, lawyers and other privacy professionals when trying to classify the relationship between different parties.

It’s not unusual for it to be automatically assumed all suppliers providing a service are acting as processors, but this isn’t always the case. Sometimes joint controllership, or separate distinct controllers, is more appropriate.

Organisations more often than not act as both, acting as controller and processor for specific processing tasks. Few companies will solely be a processor, for example, most will be a controller for at least their own employment data, and often for their own marketing activities too.

What the law says about controllers and processors

The GDPR tells us a controller means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.

A processor means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.

How to decide which we are

There are some key questions to ask which will help organisations reach a conclusion.

  • Do we decide how and what personal data is collected?
  • Are we responsible for deciding the purposes for which the personal data is processed?
  • Do we use personal data received from a third party for our own business purposes?
  • Do we decide the lawful basis for the processing tasks we are carrying out?
  • Are we responsible for making sure people are informed about the processing? (Is it our privacy notice people should see?)
  • Are we responsible for handling individual privacy rights, such as data subject access requests?
  • Is it us who’ll notify the regulator and/or affected individuals in the event of a significant data breach?

If you’re answering ‘yes’, to some or all of these questions, it’s highly likely you’re a controller.

And the ICO makes it clear it doesn’t matter if a contract describes you as a processor; “organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services”.

Controller or processor? why it’s important to confirm your status

Controllers have a higher level of accountability to comply with all data protection principles, and are also responsible for the compliance of their processors.

If you are a processor, you must only handle the controller’s data under their instructions.

This means if you’re doing anything else with this data, for your own purposes, you can’t be a processor for those purposes. You will be acting as a controller when the processing is for your own purposes.

Let’s be clear though, this doesn’t mean a processor can’t make some technical decisions about how personal data is processed.
Data protection law does not prevent processors providing added value services for their clients. But as a processor you must always process data in accordance with the controller’s instructions.

Processors also have a number of direct obligations under UK GDPR – such as the technical and organisation measures it uses to protect personal data. A processor is responsible for ensuring the compliance of any sub-processors it may use to fulfil their services to a controller.

Controller-Processor data processing agreements

If the relationship is controller to processor, you must make sure you have a suitable agreement in place. The specific requirements for what must be included in contractual terms between a controller and processor are set out in Article 28 of EU / UK GDPR.

Often overlooked is the need to have clear documented instructions from the controller. These instructions are often provided as an annex to the main contract (or master services agreement), so they can be updated if the processing changes.

There will be times where you’re looking to engage the services of a household name, a well-known and well-used processor. There may be limited or no flexibility to negotiate contractual terms. In such cases, it pays to check the terms and, if necessary, take a risk-based view on whether you wish to proceed.

What’s clear from the Spanish courier case is how important it is to have contracts in place defining the relationship. The ICO ruling demonstrates even if your contract says you’re a processor, if you are in fact in control of the processing, this will be overturned, and you’d be expected to meet your obligations as a controller.

Privacy notices – the 8 deadly sins

August 2022

There are seven original sins, but Privacy Notices have eight!

Scary, eh? If we’re not careful, they can be like a radio advert where the voiceover person speaks really, really fast to mention stuff they’re obliged to say but assume nobody wants to hear.

Which is all very well, until a juicy complaint thunders into the ICO’s in-box and it transpires your privacy notice is written in legal hieroglyphics you need a PhD to understand.

The rules are clear and carved in tablets of stone (well, UK/EU GDPR) – the notice has to be ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’. Also, you have to cover specific mandatory areas.

Recently, late on a Friday night, I found myself reading the privacy notice on a Tory leadership contender’s website. My rock’n’roll lifestyle, eh? Needless to say, it was rubbish. And these are the people passing data protection law?

Why should we care about our Privacy Notices?

Your privacy notice might be the loneliest, least-visited corner of your website. So why care about getting it right?

  • Done well it says, ‘we care about data protection’. It can increase people’s trust in your organisation – the more trust, the more likely people are to engage.
  • Remember, prospective clients and partners are likely to scrutinise your privacy notice as part of their due diligence. It’s definitely something I do for clients.
  • If you miss activities out, you may come a cropper when things go wrong. Your privacy notice is your ‘shop window’ for data protection matters and just like your customers, the ICO can take a peek whenever they want. For example even before GDPR, several charities found themselves in hot water for not telling people they carried out wealth screening.
  • The right to be informed is a legal requirement. The ICO says serious breaches of the right to be informed could leave you open to the highest tier of fines. Is it worth taking the risk?

With this in mind, here are my Eight Deadly Sins

1. Don’t copy someone else’s

There’s no harm in looking at how others do things, and how they’ve worded things. This is helpful, but resist the temptation to cut ‘n’ paste. They might have it wrong, they might have missed out core requirements and they might be doing things differently from you. And you don’t need to be much of a detective to work this one out when something goes wrong.

2. Don’t use a standard template…

… without taking the time to tailor it to what you actually do. For example, what do you use personal information for? You need to list the activities YOU do.

3. Don’t get a lawyer to write it…

… unless they have a flair for using down-to-earth, easy-to-understand language. Grab your best copywriter and get them involved.

4. Don’t quote the law

“As a data subject you have the right to obtain from us (the controller) confirmation as to whether or not personal data concerning you is being processed, and where this is the case, access to the personal data”.

Legal rubric is written for courts and lawyers. It isn’t meant to be ‘easy’ to understand (not on purpose, but because legal discourse has a specific context). This is not the case for your privacy notice, so as to the above paragraph, just NO!

(p.s. the same goes for your internal policies which you expect ALL staff to adhere to, don’t make them impossible to understand).

5. Don’t use GDPR jargon

Most people don’t know what processing, controller, processor, pseudonymisation and third-party mean. And why would they? Don’t force them to look up GDPR definitions to understand what you’re talking about (as this is unlikely to help either).

Don’t get me started on profiling – does your audience know what this means? It all sounds a bit ‘Silence of the Lambs’ if you ask me.

It’s better to clearly explain what you mean without using words which people either won’t understand or could be easily misunderstood.

6. Don’t leave out core requirements

There are specific areas we’re obliged to cover. The ICO has a clear checklist for this.

What routinely gets overlooked? In my experience:

  • The lawful bases relied upon. Tricky to drop in without sounding like legal speak. Using a table can help, or drop downs so those who want to delve into this detail can.
  • Legitimate interests – remember we’re told to tell people what our legitimate interests are.
  • The right to complain to the ICO.
  • Who personal information is shared with.
  • International data transfers.

7. Don’t leave it out because it’s too difficult to write down

There’s an art to explaining complex stuff simply, and this is one of those occasions where it pays to learn.

8. Don’t hide it

Sometimes I search high and low on websites to find the privacy notice. Why not just provide a link in the footer on every website page? And don’t make the font so small I have to scramble for my reading glasses (yes, my life really is that rock’n’roll). Privacy information shouldn’t be hard to find. Again, when something bad happens, do you really want someone alleging you were deliberately trying to hide it.

Clarity, being concise, using plain English – it’s obviously subjective

You know your customers better than anyone and you want to keep them. So reflect this in the way you present your privacy notices.

Try them out on your friends and colleagues who don’t work in your world. Do they understand them? Stress test, your notices before you publish them – and why not keep a note of that too? Demonstrating good faith and recording your decision-making is never a bad thing.

Let me know what does or doesn’t work for you – best practice is what we’re all about.

What's the ICO focusing on?

August 2022

A new direction for the Information Commissioner's Office

Empowering individuals and supporting business is at the forefront of a ‘new direction’ for the ICO.

John Edwards, who took the helm as Information Commissioner at the beginning of the year, is keen to position the Regulator as supporting businesses to realise the benefits of data-driven innovation, whilst upholding people’s information rights. He accepts this is a careful balance.

His first step was a six-month ‘listening’ exercise to understand businesses, organisations and people’s experiences of engaging with the ICO.

Next was the launch of ICO25 – a strategic plan and how the ICO will achieve its aims over the next two years.

So what of the new Commissioner so far?

Frankly, a breath of fresh air. There’ve been several indications Mr Edwards is not afraid to speak up about serious topics. In May, he published a straight-talking opinion on changes the Regulator wanted to see to the data protection approaches of police forces, in relation to victims of rape and serious sexual assaults.

The ICO25 plan

The ICO25 is a strategic plan which sets out why the ICO’s work is important, what they want to be known for (and by whom) and how they intend to achieve this over the next two years.

John Edwards recognises resources are finite, and they have to make choices about where to focus and how to spend their time. He wants to bring “the greatest benefit to the greatest number”.

The ICO25 video address kicks off with, “It’s about relationships.. trust, equality, dignity and democracy”. In fact Mr Edwards talks about people rather a lot. Bravo! This is much more what I’d like to hear from the ICO.

Safeguarding and empowering people

There’s a new focus around the ICO’s purpose. Safeguarding people, particularly the most vulnerable, and upholding their information rights. Speaking at the launch of the plan, John Edwards said:

“My most important objective is to safeguard and empower people, by upholding their information rights. Empowering people to confidently share their information to use the products and services that drive our economy and society.

“My office will focus our resources where we see data protection issues are disproportionately affecting already vulnerable or disadvantaged groups. The impact that we can have on people’s lives is the measure of our success. This is what modern data protection looks like, and it is what modern regulation looks like.”

John Edwards has also made it clear he intends to make it easier for people to access remedies if things go wrong. There has been a fair amount of criticism levelled at the ICO in this respect. The plan also talks about promoting openness and transparency.

Support for businesses

For business, the ICO’s stated objective is to “empower responsible innovation and sustainable economic growth”. How do they hope to achieve this?

  • Give organisations the knowledge they need to plan, invest, responsibly innovate and grow. This means giving more certainty about the law and more helpful guidance and tools.
  • New training materials have been published around data protection and freedom of information. The plan is to collaboratively produce more sector-specific guidance, asking representative groups to co-design materials to provide tailored and targeted advice.
  • Small businesses are a key focus too. The ICO reminds us about their SME hub, which includes examples and bring together good practices to help SMEs comply with the law, develop a trusted customer base, know how to deal with subject access requests and so on.

Reducing the cost of compliance

Mr Edwards talked about plans for the new data protection law, and has challenged his team to reduce the cost of compliance for businesses, in fact he’s set a target to save businesses at least £100 million over the next 3 years.

Alongside this the new Data Protection and Digital Information Bill is currently progressing through Parliament. Mr Edward’s views on this?

“I share and support the ambition of these reforms. I am pleased to see the government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.

“We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill.”

Plans for the public sector

The ICO plans a revised approach to public sector fines, recognising public money is best used to support the delivery of essential services. Mr Edwards says this is “a clear signal that regulation works best when we [the ICO] stands alongside organisations, encouraging change and improvement”.

He spoke of launching a Cross Whitehall Senior Leadership Group to drive compliance and high standards of information across government departments – with commitment from DCMS and the Cabinet Office in making this happen.

So what do we think?

Based on the new Commissioner’s first 6 months, we’re feeling optimistic the ICO is in good hands. The year ahead should be a particularly interesting one, with growing expectations the UK’s new Data Protection and Digital Information Bill will land next Spring or Summer and a clear new direction for the ICO.

Along with perhaps a bit of a headache to update current UK GDPR guidance!