Sally Mewies: Welcome to the General Data Protection Regulation (GDPR) Compliancy Check List for October and we're now moving into an area that I think lots of businesses will be faced with, it's a challenging area under GDPR and that's the whole thorny topic of privacy notices. So Rocio, these are going be much trickier and when we're talking about privacy notice we're talking about notices you might give to employees, notices you might give to customers on websites etc. Do you want to talk to us about why crafting a privacy notice that's GDPR compliant is much more difficult than it might have been in the old regime?
Rocio De La Cruz: Yes, of course, so it's absolutely a challenging thing so all the data mapping exercises that we were talking about in previous sessions now you need to look at that to make sure that you understand all the processing of personal data because you will need to include all that information in your privacy notices, and also the information that you need to provide to individuals changes depending on if you are collecting data directly from the data subject, from the individual, or if you are receiving data from a third party so it's something that you really need to check, you need to make a list of what information you need to include in each case and then do that, tick, tick, tick, tick that you are including every single bit of information included there.
So that includes obviously the category of personal data you are possessing the purposes for which you are possessing the personal data, separately and very clearly, then you need to include who the data controller is, if you have a representative or data protection officer (DPO) you need to include details for them, you need to give information about all the data subject rights, one by one, explaining how the can exercise these rights and also regarding the transfer of data and whether or not the organisation is transferring data out of the EEA, whether or not that is secure transfer of data and so on.
But the thing is not only the content, the thing is also that you need to be transparent and you need to think on the audience and you need to make sure that your audience understands. So it's not the same giving information to your employees or giving information to customers but also I would even say that it's not the same giving information to customers who are young people, or customers who are vulnerable people or any other individuals.
Since the GDPR its asking you to be transparent and it is a requirement, it's not a recommendation, drafting the privacy notice is really, really challenging thing because if you think in practice Sally, who reads privacy notices, apart from us when we are working and if you read the whole thing I mean, I ask my friends for example as customers when you are in, downloading an app that you are gonna use and you are displayed with the privacy notice do you read them? And none of them say yes.
If you as a data controller need to assure that the individuals you are prossessing the data from have read this or have been given with that information you need to think about more attractive and effective ways to do so. So the Information Commissioner's Office (ICO) is recommending to use layer information, just in time notices so I've seen as a customer in some apps that I use that for example when I public a picture there is a notice displays that do you know who is accessing to that picture, click here if you want to know more, these sort of things and also introducing the use of symbols and icons that could help the individuals to recognise each bit of information what it's about. So, for example if I'm interesting in knowing how long this data control is keeping my personal data for so then if I see a clock, so perhaps that gives me an idea that this is the bit of information I'm interested in. So definitely challenging times for all of us in order to make sure that we comply with all these requirements with regards to privacy notices.
Sally: So just to drill down a little bit Rocio into privacy notices and your point about the ICO recognising, well the regulators recognising that people don't read these but in fact we're actually seeing a requirement to have more information not less, how do we, how do you make these interesting, how do you make people want to read these privacy notices, especially when they're looking at applications on a phone which clearly is limited in terms of space.
Rocio: Yes, so you need to make sure that the language is absolutely plain and you need even to consider working with marketing teams to make it a little bit more attractive. If an app is used by children you need to think about how a child would understand that so you really need to think about using different forms, even considering videos or even considering any other sort of comics or things that they will recognise they will understand and also in a limited space.
Sally: And then just on the just in time notices, that works does it by showing you a statement whenever your data is going to be used in a slightly different way from the way it may have been used before in that story of that application it then pops up and says you're about to do this which means that we're going to do this with your data so it gives you that opportunity to not do that, take that step, is that the thinking behind that.
Rocio: Yes, yes absolutely, that is correct.
Sally: Good, so that I think is everything in terms of privacy notices, there's a lot to do there and a lot to think about in terms of getting those right and certainly October is not, it's probably not soon enough in terms of starting to redraft that, and that's all for our October GDPR Compliancy Check List.