GDPR and privacy notices

Under GDPR, businesses will need to update their privacy notices or create a new one if one is not available. This is so that businesses can meet the GDPR principle of transparency. The privacy notice will enable individuals to be aware of what data is held on them, how the data is collected and who to contact if they want to make a data access request.  The contact details would also be used if they wanted to withdraw consent or have their data updated.


The first step for updating a privacy notice is to ensure that the language is concise, transparent and written in clear plain language. It must be free of charge and it needs to be easily accessible. Some companies are opting for a short pop up privacy notice that appears on the home page of their website with a link to a larger privacy statement that contains more detailed information. Like businesses, privacy notices come in all sizes depending on what personal or sensitive data your organisation collects.


What should be included in the privacy notice?


  1. Your business name along with the name and contact details of the data protection officer if you have one, or the nominated person who is responsible for Data Protection in your business.
  2. How you collect the personal data, for example, does it come from your website, over the phone, face to face or in writing.
  3. The type of personal or sensitive data you collect. For example, is it just an email address, postal address or do you collect credit cards for online payments?
  4. Provide assurances that the personal data you hold is kept secure and that appropriate IT safeguards are put in place to protect data.
  5. If you collect sensitive data or data on children, you will need to assure users of the extra security checks you have in place to ensure their data is securely protected.
  6. The reason why you collect the data and what you do with it. For example, is it to provide a service, to process payments or for communication purposes?
  7. What is the legal basis that you are relying on to process personal data? There are six legal bases which are: 1) consent, 2) contract, 3) legal obligation,           4) public interest, 5) vital interest and 6) legitimate interests.
  8. If you rely on legitimate interest for one of your reasons to process personal data, the privacy notice will need to explain clearly what are the legitimate reasons used.  For example, GDPR uses the following examples as potential legitimate interests: client or employee data, marketing, fraud prevention, intra-group transfers, or IT security.
  9. If you rely on consent as a legal basis, give details of how someone can easily withdraw consent, request for their data to be updated or to have it erased.
  10. Give details of how individuals can make a data access request and include the fact that it is free of charge.
  11. If you collect personal data from publicly available sources or acquire them from third party data vendors, you will need to state that you gather this data as well.  
  12. Advise that individuals have the right to lodge a complaint with the Data Protection Commission and you may want to include a link to their website.
  13. For any personal data that is processed, stored or handled outside of the EEA (European Economic Area) detail the security measures you take to ensure their data is protected and secure. Confirm that appropriate contracts are also in place.
  14. If the data is shared with third party organisations you will need to provide the details of those organisations who receive the personal data.
  15. If you conduct any automated profiling you will need to explain what activities you undertake for using personal data for profiling purposes which should include information on how decisions are made with this information, the significance and the consequences of using the type profiling you undertake.
  16. You should include a reference to your data retention policy on how long you keep the data.
  17. If the provision of data is for a legal or contractual reason, you will need to detail the consequences if an individual has refused to supply that data.

It is recommended that you advise users that when they leave your website that any external links they click on to are not your responsibility and they should view that organisation’s privacy policy. Lastly, it is good practice to put a date on when the privacy policy was last updated.


Next week we will look at how to respond to a data access request under GDPR.  In the meantime you can avail of the GDPR toolkit to conduct your GDPR audit from the SFA website which you can download here.


If you would like more information on GDPR or to discuss your requirements further please contact Helen at SFA on 01 605 1668 or at or visit our GDPR section on

Facebook Twitter LinkedIn Digg Yammer
In this issue
SFA E-Zine – The Tuesday Edition
GDPR and privacy notices
BeSmart – a free online tool that easily assesses your health and safety risks
Five sectors bear 90% of the burden of Brexit according to new study
Grants of up to €150,000 available for companies in their first 18 months
Accenture SME banking survey results 2018
SFA GDPR in Action workshop
HR update 2018: From beginnings to endings and HR in the middle
GDPR in action – Cork
Discipline and Dismissal and other upcoming training courses