Your organisation has procedures to review the privacy information provided to data subjects regularly to make sure that it is accurate, up to date and effective.
Ways to meet our expectations:
- You review privacy information against the records of processing activities, to ensure it remains up to date and that it accurately explains what happens with individuals’ personal data.
- You maintain a log of historical privacy notices, including the dates you made any changes, in order to allow a review of what privacy information you provided to data subjects and when.
- Your organisation carries out user testing to evaluate the privacy information’s effectiveness.
- Your organisation analyses complaints from the public about how you use their personal data, and in particular, any complaints about how you explain that use.
- If your organisation plans to use personal data for a new purpose, you have a procedure to update the privacy information and communicate the changes to individuals before starting any new processing.
Can you answer yes to the following questions?
Is there an effective review process?
Would individuals say that you provide effective privacy information?