Privacy Notices under the GDPR

One of the key areas which is emphasized under the GDPR is the ‘right to be informed’, which encompasses the obligation placed on organisations to provide ‘fair processing information’, usually through the use of ‘privacy’ or ‘data protection’ notices.

The GDPR sets out what information should be included in such notices.  Some of this will be familiar as it is the type of information which should ideally be included in current notices under the Data Protection Act.  However, there are some other categories of data which need to be included and, also, a greater level of detail will be expected.  For information being processed by the University that is directly obtained from the individual, they should be informed at the same time the information is obtained.

The following needs to be included in any privacy notice:

- The identity and contact details of the data controller (i.e. the University) and their Data Protection Officer
- The purpose and legal basis for processing
- The legitimate interests of the data controller or third parties, where applicable
- Details of who will receive or access the information
- Details of any transfers of data abroad, and any safeguards in place
- Information on how long the data will be retained
- Details of data subjects’ rights under GDPR
- The fact that data subjects have the right to withdraw consent at any point, if consent has been used as a basis for collection of data
- The fact that data subjects can complain to the ICO
- Details of any automated decision making involved in the processing of their data

For further details, see the ICO’s website at:

The right to be informed

For more advice on privacy/data protection notices, contact the Information Governance Manager at: