The Information Commissioner's Office (ICO) recently published the results of their survey into public perception of data protection. The research concluded that only 20% of the UK public have "trust and confidence" in organisations holding their personal data and that only 8% have a "good understanding" of how their personal data is shared by organisations. This survey follows a review of website privacy notices conducted by the ICO (together with a number of other data protection authorities around the world). This international study found that website privacy notices are "generally inadequate", which is quite generous considering, for example, 26 of the 30 policies reviewed by the ICO failed to adequately explain whether they shared personal data with any third parties.
In light of these two studies, it would seem that organisations will have a fair amount of work to do in the coming months to ensure compliance with the GDPR principle of "lawfulness, fairness and transparency" in the processing of personal data. An important part of this transparency principle is individuals' right to be informed (Articles 13 and 14 of the GDPR) that an organisation holds their personal data and what is being done with that data - which is where privacy notices come in.
Privacy notices, sometimes referred to as privacy policies, fair processing notices or data protection policies, are already required under the existing data protection legislation, and the GDPR spells out the details that will need to be provided in each of these notices. Amongst other information, privacy notices will need to include: the identity and contact details of the organisation, the purposes of processing the personal data as well as the legal basis of processing, recipients of the personal data (i.e. third parties with whom the data is shared), details of any transfers of personal data outside the EU, data retention periods and the existence of the individuals' rights under the GDPR in respect of their personal data. Where the personal data was obtained indirectly by the organisation, the privacy notice also needs to include the categories of data as well as the source of the data.
In order to comply with the transparency principle, each organisation will need to know what personal data it processes and why, and it will need to communicate this clearly to any individuals whose personal data it processes.
The good news for small and micro organisations is that the ICO has recently launched a new dedicated telephone service aimed at helping such businesses with data protection matters. This complements the growing list of guidance and resources it has already made available on its website to assist with preparations for the GDPR.