Providing privacy information is a requirement of the DPA, and this code provides guidance on how to comply with this. The GDPR specifies further detail that organisations processing personal data will need to include in their privacy notices. We have summarised these in Privacy notices under the EU General Data Protection Regulation. Following the good practice recommendations in this code will assist you in meeting these obligations.

Following good practice in providing privacy notices helps you to deal with people in a clear and transparent way and empower them. This makes good sense for any organisation and is key to developing trust with customers or citizens.

If you empower individuals to manage what you do with their personal data, giving them more choice and integrating preference management tools, such as a privacy dashboard, with your privacy notice you may be able to obtain more useful information from them.

If individuals are able to exercise real choice over what is done with their personal data, you can be more confident that people have provided informed consent for their information to be used, if this is the legal basis you are relying on.

By taking this approach, you are firstly acting more openly and, in a data protection sense, more fairly, but you are also able to use data more effectively.

As digital interaction with consumers becomes the norm, privacy notices should be seen as flexible and deliverable via a number of mechanisms, often in combination. Following the good practice approach described here means that information can be provided at different times and at appropriate points during an organisation’s interaction with their customer.

The value of personal data is increasing and technology is rapidly developing. Personal data can be manipulated and used in increasingly sophisticated ways and sometimes on a large scale. Also, individuals often express general concerns about how their information is used but at the same time they often find it difficult to engage with privacy notices. This leaves them uninformed about how their information is being used and sometimes feeling unfairly treated as a result.

Providing meaningful and effective information in this context is an ongoing challenge for organisations but one that they must meet to comply with data protection law. To get this right, you need to identify the means of communication and the language and tone that is most appropriate to the audience bearing in mind the way that their personal data is being used.