The law says you need to provide data processing information to all the categories of people whose personal data you process. Your website privacy notice is a great way of doing this and, for many organisations, the main way.
Some good techniques are to:
Data protection law says that consent needs to be ‘fully informed’ for it to be valid. This means you should clearly explain to the user:
Having a ‘legitimate interest’ is one of the bases you can rely on to lawfully process personal data. It’s also one of the most common.
However, the law says it’s not enough just to say that you’re processing personal data because you ‘have a legitimate interest in doing so’. Rather, you need to go one further and actually explain what your specific interest is for that type of processing. Here are some examples:
“We have a legitimate interest in keeping you up to date with our sales, offers, competitions and new product releases which we think will be of interest to you.”
“We have a legitimate interest in creating and keeping records which contain your personal data so that we can more efficiently operate our business.”
A recent change to the law is that if you are UK-based but process personal data of individuals in the EU then you may need to appoint an EU representative. One of your representative’s key responsibilities is to pass on any correspondence received from the European data protection regulators.
Don’t have a European representative or not sure if you need one? Have a look at our short blog “Do I need to appoint an EU representative for data subjects living in the EU?“.