GDPR and effective date of your privacy policy.

Transcript of the Video

Hello, ladies and gentlemen. Suzanne Dibble here, data protection law expert, coming to you raw and uncut. I'm very, very excited about our first implementation day tomorrow, where I'm going to take a hundred people through all of the documents that they need to put in place to work towards GDPR compliance. So I'll be looking at their privacy policies, their cookie policies, their processor agreements, whatever else they need to put into place, employer privacy notices as well. I'll be answering all of their questions and we'll all be working on it together.

I know it's hard to clear space in your diaries to make room for these things, so that's why we're coming together as a group to motivate and incentivize each other, and I'm going to be on hand all day to answer people's questions. So it's a new thing. We'll see how it works and if it's successful then we'll look into running more of them. But for those of you who are still asking, it is sold out now.

So, what I want to do a quick video on tonight is I had a good question today, which was about what date do you make your privacy notice effective from? I've seen big companies do it both ways. Some have said it's effective from the 25th of May, i.e. the date that the regulation comes into force, and others are effective immediately. So what's the position on that? Well, the answer is, there's nothing in GDPR that says you must have it coming into force on the 25th of May and it's really considerations for you, along with the lines of what I'm going to outline now.

So what is the downside of having the privacy policy coming into effect now? Well, one of them is that you are giving enhanced rights to data subjects that you don't actually need to give them yet. So if you're doing it now, it's about a month to go, you're giving people one month of additional rights that you don't need to do. Now, what are the chances, in that one month, of people bringing a subject access request or a right to be forgotten or whatever else it is? Very low, I would say, so it's a consideration but it probably shouldn't be a driving one.

Now, what is the downside of not having the privacy notice in place now? Well, if you are using ... If you need to get fresh consent from people and you're doing a re-engagement campaign like we've suggested in this group, then you're probably going to need to start doing that now so that you can get people re-engaged and opted in before the 25th of May, because obviously if you're relying on consent as a lawful ground of processing and you don't have a GDPR standard of consent post the 25th of May, then you'll have to stop that processing. So people are doing their re-engagement campaigns now, which are of course why we're all getting so many emails asking us to opt-in to different companies' emails, and marketing emails, and newsletters, etcetera.

So what you would typically do is that, whilst you're getting people to re-opt-in on the basis of your new privacy policy, so obviously you would want it to be live at the time that those people are opting in to the new GDPR standard of consent, which includes being very upfront and transparent about what you're doing with their information. So if your current privacy policy isn't quite up to scratch in terms of being really clear, upfront, and transparent about what you're doing with people's information, then you'll want to advise them of the new privacy policy at the point in time that you are getting that new GDPR standard of consent.

So they're your choices, really. Have it live now, so that when you're asking for that consent, you've got that privacy notice in play. If maybe your existing privacy policy is clear and transparent about what you're doing with data ... Let me just check the ... I'll just read you the definition of consent. Too many flags on this now, can't actually see what any of them are because there are so many flags. Okay, so consent, so it's "specific, informed, and the unambiguous indication". So the bit, I think, being the informed part of it, means that the privacy notice needs to be really clear and upfront about what you're going to be doing with their data.

So I guess, in theory, if you had a privacy policy that you thought did do that and was ... it fully informed the data subject as to what you're doing with that data, then in theory, you could get your opt-in consent and then send a follow up email on the 25th of May, or closer to the 25th of May, that sent them your new privacy policy that sets out all of the things that you're required to set out in the privacy policy, under Article 13 of GDPR. But obviously, the simplest thing would be: send your email requesting fresh consent and link to your new privacy policy in that.

So my view is, is that the risk of people having enhanced rights in that one month period, it's probably not worth the effort of separating that out. If you've got any other sort commercial considerations around that ... as I say, it isn't really a legal thing ... then comment below. But as I say, I've seen big companies doing it both ways, really. Somewhere their privacy policy is effective immediately and somewhere it's coming into force on the 25th of May. So also comment, if you've seen that, which way you've seen it. Have you seen it more common that it's coming into effect now, or more commonly that it's coming into effect on the 25th of May?

So I'll leave you with that, and for those of you who are joining me on the implementation day tomorrow, can't wait to see you on that, bright-eyed and bushy-tailed, at 9:30 AM tomorrow. Until then, goodbye.