In recent weeks there has been a noticeable uptick in the number of "We've updated our privacy notice" emails landing in my inbox. I tend to assume that most people's interest in data protection doesn't extend to reading other companies' transparency information in their spare time – but for better or worse, I am not one of those people.
With that in mind, I've read the 20-odd updated privacy notices that were sent to my email address in the past month, and what follows is an overview of the topics that appeared most frequently in those notices.
Artificial Intelligence. Most notices had been updated to reflect the organisation's use of AI – both current (e.g., the provision of customer support services) and future-looking (e.g., for product development and improvement purposes). Although these use cases are the same ones that many businesses had in place before the hype around generative AI exploded into the public consciousness, it's still good to see them making individuals aware of their application of AI to personal data.
But that's not necessarily the end of the story. If your business is currently using AI (or planning to), it's worth bearing in mind that you may need to update your transparency information more than once in order to reflect your AI use cases. The temptation is to draft a one-size-fits all disclosure, which could work for simpler, single-use AI tools such as chat/voice bots. However, as these technologies develop, and you want to implement AI for purposes that evolve over time, that approach won't cut the mustard.
Data Privacy Framework. A smaller but still significant number of privacy notices had been updated to reflect their organisation's certification to the EU-U.S. DPF and/or UK Data Bridge. As part of the certification process, businesses in the U.S. needed to update their privacy notices by 10 October 2023 and 12 October 2023 respectively to reflect their reliance on the DPF and UK Data Bridge. For their part, organisations in the EU and UK should be updating their own notices to cover data transfers to U.S. certifying entities. So it's not surprising to see updated notices still coming through.
Indeed, if you haven't done so yet, now would be a good time to think about updating your own privacy notices – not only to reflect the DPF and UK Data Bridge but, more importantly, as part of a periodic review of your recent and upcoming progressing activities. Explaining to how people how their personal data will be processed, in clear and digestible language, can be challenging at the best of times. Doing so for complex technologies is harder still. My advice is to think about this as an evolving, creative process rather than a tick-box exercise. Taking that approach is likely to result in better transparency for and trust from your data subjects, as well as making the whole process more enjoyable for you (and the oddballs who read privacy notices in their spare time).
In that spirit, it's worth remembering that putting the onus on data subjects to periodically check your privacy notice for updates is unfair for the purposes of Article 5(1)(a) of the GDPR / UK GDPR. It is the controller's responsibility to bring material changes in processing to the individuals' attention, and there's no excuse not to do so. Even if none of the above currently apply to you, it's still worth asking the question: when did we last update our privacy notice(s)? Anything more than 12 months means that it's time to at least consider a refresh.
Lastly, this article has discussed consumer privacy notices, but all of the same principles apply to your employee and applicant notices (and any other notices you provide). For example, if you're using AI to assist in the hiring process, or tracking employees as part of a return to office policy, you'll need to let individuals know. Happy drafting!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.