Understanding and identifying what notifications are necessary and how you manage them
What are Notifications?
Notifications are those mechanisms used to support the data subject right of being provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
These notifications must be undertaken for all parties you collect personal data e.g. customers, employees and 3rd parties. These are also known as privacy notices under the Data Protection Act (DPA) and more generally as ‘fair processing notices’.
What does the GDPR require?
The GDPR is specific about what types of notification must be supported, what information must be provided to data subjects, how it should be made available and also the conditions under which these notification should be provided.
There are several types of notification required by the GDPR including:
- When you collect personal data (this service)
- In the event of a data breach and
- When personal data is rectified, erased or restricted for processing etc.
This Notification Review and Remediation service focusses specifically on those notifications the GDPR requires your organisation to provide at the time it collects personal data either directly from the data subject or from a third party.
The latter two notifications are addressed by our Data Subject Rights Review and Remediation service as they are relevant once your organisation is in possession of or already processing data subjects’ personal data.
Why do a Notifications Review?
The GDPR places new requirements on organisations that collect and process personal data which go beyond the DPA to provide notices that are concise, transparent, intelligible and easily accessible form, using clear and plain language.
Your organisation needs to have the correct notifications in place by May 2018.
Notifications Review and Remediation
To undertake this service effectively and in a timely manner you should have completed our Data and Purpose Review. This supports consistency and cross-referencing of personal data being collected, its purpose and integrity of your notifications.
To create your notifications for data subjects at the time you collect their personal data, this service takes into account:
- Sources and recipients of personal data
- Retention periods
- Legal bases for processing
- Transfers to third parties and third countries
- Automated decision making
Notifications for individual classes of data subjects are created using this information and includes:
- Identity and the contact details of the controller
- Contact details of the DPO, where applicable
- Recipients of the personal data
- Legitimate interests where applicable
- Transfers of personal data
- Purposes for processing.