What does a UK GDPR-compliant privacy notice look like? Lessons learned from a recent ICO enforcement decision
In April 2023, the UK Information Commissioner's Office (ICO) fined a social media company £12.7 million1 for a number of breaches of UK data protection law, including failing to use children's personal data in accordance with UK General Data Protection Regulation (UK GDPR) requirements.
Alongside the ICO's enforcement notice, the ICO published a 58-page Annex 3 which considers the specific wording of the company's privacy notices between August 2018 and July 2020 and sets out why the ICO concluded that the wording did not meet the requirements of the UK GDPR.
The ICO found that many of the general statements that we often see in privacy notices about lawful bases, recipients of personal data, international data transfers, and data retention were insufficiently detailed to satisfy the requirements of Article 13(1) UK GDPR and the UK GDPR principle of transparency.
Key Take-Aways
1. Mention how your data protection officer (DPO) can be contacted if you have appointed one. Not every organisation is required to appoint a DPO. However, if you have appointed a DPO, you should make this clear in your privacy notice and include information about how individuals can contact them. The ICO does not require organisation to include a named individual in privacy notices so including a generic email address (e.g. dpo@) or a form for contacting your DPO may be sufficient.
2. Include a clear link between the personal data you process, your purposes of processing, and the lawful basis you rely on. The ICO found that only listing the types of personal data, purposes and lawful bases separately falls short of the requirements under the UK GDPR. The ICO considered that organisations must present the information in a way that would allow data subjects understand what lawful basis applies to each processing activity. A practical way for organisations to achieve this may be by providing the required information in a table format such as the example below:
| Purpose of processing | Types of personal data | Lawful basis |
| Processing your payment |
|
Performance of our contract with you |
| Sending marketing emails |
|
Consent |
The ICO found that setting out the relevant lawful bases for different processing activities is also crucial for data subjects being able to effectively exercise their rights under the UK GDPR. The ICO considered that simply listing the lawful basis in general terms without naming the relevant processing activity might prevent data subjects, for example, from understanding when they can withdraw their consent or when they can object to the processing in question.
3. Be specific about who you share personal data with. The ICO found that a high-level description of recipients of personal data such as "analytics providers" or "business partners" was too broad and not adequately explained. Instead, the ICO argued that the privacy notice had to either include names of the recipients or at least sufficient details on the categories of the recipients. Where providing names of the recipients is not possible or practicable, businesses should explain who these recipients are, what they do with the personal data, and where they are located. If possible, avoid using legalistic language such as "affiliates" without explaining its meaning.
4. Mention specific countries to which you transfer personal data. The ICO found that the third countries to which personal data is transferred should generally be named in the privacy notice to allow data subjects make informed choices. Organisations should also specify whether the country benefits from an adequacy decision, and if not what safeguards have been implemented (such as the standard contractual clauses or international data transfer agreement) and how to obtain a copy of such safeguards. However, listing all the countries to which personal data is sent to might be a challenging task for global businesses using service providers and operating data centres in multiple locations across the world.
5. Include examples of the periods for which individuals' personal data will be stored. General statements about keeping personal data for as long as necessary for the purposes of processing is unlikely to comply with the UK GDPR. The ICO was of the view that the privacy notice had to provide its users with a clear period for which the personal would be stored or at least "meaningful" information about the criteria used to determine the retention period with specific examples. Broad statements about determining the retention period by reference to contractual obligations, legal obligations and any disputes was not, in ICO's view, "meaningful" for data subjects.
Why the enforcement notice may be relevant to all business subject to the UK GDPR
The enforcement notice is not general guidance for organisations subject to the UK GDPR2. ICO's decision to fine the company should be considered in the context of ICO's focus on protecting children from unlawful processing of personal data and the company's role as a major social media platform. In the enforcement notice, the ICO also considered public statements made by to the company relating to its processing of personal data (including that no UK user data processing is undertaken in China which the ICO found to be incorrect).
However, the enforcement notice provides further detail about what the ICO considers to be a (non-)compliant privacy notice which businesses might find useful. In particular, the extracts from the privacy notices analysed in Annex 3 may give businesses seeking to understand if their own privacy notices (including privacy notices for employees and job applicants, customers, suppliers, website and app users, and visitors) meet the level of the detail expected by the ICO a helpful benchmark.
Not so much divergence from the EU (at least for now)
The enforcement notice was issued under the UK GDPR after the end of the Brexit transition period. Nonetheless, the ICO made references to enforcement decisions issued by EU data protection authorities and guidelines from the European Data Protection Board (EDPB), including the Annex to Guidelines on Transparency under the GDPR.
This approach suggests that unless there is a specific reason for the ICO to diverge in its interpretation of the UK GDPR from the EU GDPR, the ICO will continue to take into account the guidance and decisions made by its counterparts in the EU.
However, ICO's approach might change in the future as it continues to develop its own guidance (including the Guidance on the right to be informed) and as the EU and UK GDPR continue to diverge through legislative and judicial developments on both sides of the English Channel.
1 Reduced from the £27 million fine which was proposed in ICO's notice of intent in September 2022.
2 For a guidance on obligations under Article 13 and 14 UK GDPR see ICO's Guidance on the right to be informed
