Data Protection and the KISS principle

February 2022

Privacy Notices should be easy to understand, is the same true of our internal policies?

(Keep it Simple, Stupid)

GDPR made it a legal requirement for organisations to provide privacy information, using easy to understand language.

‘Concise, transparent, intelligible … clear and plain language’. (Article 12, GDPR)

Some have done a great job, others less so. And could we be better at using the same approach with our internal data protection-related policies?

Privacy Notices

This legal requirement to ‘keep it simple’ (my words) led some businesses to put a lot of time and effort into their Privacy Notices, especially in the run up to GDPR implementation back in 2018.

(By Privacy Notice, I mean the external information we provide to our customers about how we collect, handle and use their personal details. In the past, the term ‘Privacy Policy’ was used, and still is by some. But in essence it’s a notice to inform people, not a policy they have to abide by and agree to).

We were urged to remove legal language, use headings, a layered approach, ‘just-in time’ notices and so on. The ICO’s Right to be Informed Guidance provides some useful pointers on this.

It’s no easy task to balance the legal points we have to cover with the need to make our notices concise and easily understood.

After all, we need to cover how we collect people’s details, how we use them, lawful bases, retention, data sharing, international transfers, possibly profiling and more.

Yet, we need to explain all of this in a way typical users of our products and services can understand. The more complex an organisation’s activities, the more difficult this becomes.

This has led to some Privacy Notices becoming long and detailed, and not necessarily easier to understand.

Others, however, have been seriously creative. For example, using icons or short videos to make sure information is as easy as possible to take in.

This is great – external communications matter. It’s good practice, builds confidence and reflects well on an organisation’s approach to data protection.

Which brings me onto…

Internal data protection policies – our instructions to our people

Have we put the same effort into explaining our internal data protection policies to our people?

Surely, we want these to be concise, with clear and plain language too?

Too often policy documents are littered with legalise and jargon. Sometimes it feels like we think a policy can’t really be a policy unless its unduly formal and detailed.

Not true.

People shouldn’t need a degree of specialist knowledge to wade through policies, particularly those aimed at ALL staff.

I’m thinking here about policies such as a Data Protection Policy, which we would expect our people to read, reference and use.

I believe making them hard-work to read, can give data protection a bad name. Even worse, if errors are made, poorly drafted or overly complicated policies will reflect badly on an organisation. The same can be said of our internal procedures and guidelines.

How to refresh data protection policies

Take a look at the way your policies are written. Are they a bit dry? If they could do with a revamp, here are some simple do’s and don’ts to consider:

Do’s

    • use everyday words
    • explain any data protection terms in plain English
    • break up blocks of text with headings, lists and tables
    • highlight key messages you want to get across
    • include useful tips
    • put in examples tailored to your business
    • rope in your Comms or L&D team to help simplify things (or anyone who’s good with words)
    • cut out detail by linking to other related policies, guidelines, procedures
    • ask for feedback – how often do people use them? do they find them helpful? what would make them better?

Don’ts

    • complex language / legalese
    • ‘insider’ jargon – why say ‘data subject’ if you could say people, individuals, customers, patients etc?
    • cut-and-paste definitions from GDPR text
    • information overload

Of course, balance is important. While overly complex policies will gather dust, we need to include enough useful and important information to get key messages across. We’re not talking about talking down to people or patronising them, either.

I believe making policy documents as easy to understand as our external Privacy Notices should be, is a win-win approach.

Straight-forward instructions are more likely to be read, which means more people are likely to follow them. Of course, we also need to make sure people are aware of relevant policies and can easily lay their hands on them.

Need some inspiration?

Here are a few Privacy Notices I think work from a presentational point of view. Just don’t hold me to whether they’ve got everything covered or not!

BBC: Your information and Privacy – a layered approach, with lots of useful questions to help people find the detail they are looking for.

Amnesty International: Housekeeping – also a layered approach with icons, tables and ‘characters’ used to explain how data is collected and used.

Lego: Legal for Kids – a video with a ‘Captain Privacy’ Lego figure of course!