You’ll need to review your policy around managing customer’s personal data and communicate how you handle privacy information by way of a Notice. Find out what to include.
How to use personal data
You may have lawful grounds for processing someone’s data but now you need to let them know how you use their personal data - the ICO refer to this as ‘privacy information’. This may be done with a Notice to the data subject, at the point of collecting the personal data.
The Notice can appear anywhere where a client can find it easily. Putting it on a website might be the best option, but remember to ensure it’s visible at the point you collect personal data. The notice should include:
The identity of the controller – that’s the person or people who decide what data is used and how it’s used
The purpose and legal basis of processing the data
The receiver of the personal data, such as banks, insurance companies, etc.
If any data is processed outside of the EEA, remember to consider any cloud based storage
How long it will be held for or criteria for the length of time
The data subject’s rights under the GDPR and how to make a complaint
If there’s a legal or commercial requirement to process the data.
By the way, if you change the basis of using personal data, it will still need to pass the ‘lawful purpose test’ and you’ll need to update your Notice.