Privacy notices – the 8 deadly sins
There are seven original sins, but Privacy Notices have eight!
Scary, eh? If we’re not careful, they can be like a radio advert where the voiceover person speaks really, really fast to mention stuff they’re obliged to say but assume nobody wants to hear.
Which is all very well, until a juicy complaint thunders into the ICO’s in-box and it transpires your privacy notice is written in legal hieroglyphics you need a PhD to understand.
The rules are clear and carved in tablets of stone (well, UK/EU GDPR) – the notice has to be ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’. Also, you have to cover specific mandatory areas.
Recently, late on a Friday night, I found myself reading the privacy notice on a Tory leadership contender’s website. My rock’n’roll lifestyle, eh? Needless to say, it was rubbish. And these are the people passing data protection law?
Why should we care about our Privacy Notices?
Your privacy notice might be the loneliest, least-visited corner of your website. So why care about getting it right?
- Done well it says, ‘we care about data protection’. It can increase people’s trust in your organisation – the more trust, the more likely people are to engage.
- Remember, prospective clients and partners are likely to scrutinise your privacy notice as part of their due diligence. It’s definitely something I do for clients.
- If you miss activities out, you may come a cropper when things go wrong. Your privacy notice is your ‘shop window’ for data protection matters and just like your customers, the ICO can take a peek whenever they want. For example even before GDPR, several charities found themselves in hot water for not telling people they carried out wealth screening.
- The right to be informed is a legal requirement. The ICO says serious breaches of the right to be informed could leave you open to the highest tier of fines. Is it worth taking the risk?
With this in mind, here are my Eight Deadly Sins
1. Don’t copy someone else’s
There’s no harm in looking at how others do things, and how they’ve worded things. This is helpful, but resist the temptation to cut ‘n’ paste. They might have it wrong, they might have missed out core requirements and they might be doing things differently from you. And you don’t need to be much of a detective to work this one out when something goes wrong.
2. Don’t use a standard template…
… without taking the time to tailor it to what you actually do. For example, what do you use personal information for? You need to list the activities YOU do.
3. Don’t get a lawyer to write it…
… unless they have a flair for using down-to-earth, easy-to-understand language. Grab your best copywriter and get them involved.
4. Don’t quote the law
“As a data subject you have the right to obtain from us (the controller) confirmation as to whether or not personal data concerning you is being processed, and where this is the case, access to the personal data”.
Legal rubric is written for courts and lawyers. It isn’t meant to be ‘easy’ to understand (not on purpose, but because legal discourse has a specific context). This is not the case for your privacy notice, so as to the above paragraph, just NO!
(p.s. the same goes for your internal policies which you expect ALL staff to adhere to, don’t make them impossible to understand).
5. Don’t use GDPR jargon
Most people don’t know what processing, controller, processor, pseudonymisation and third-party mean. And why would they? Don’t force them to look up GDPR definitions to understand what you’re talking about (as this is unlikely to help either).
Don’t get me started on profiling – does your audience know what this means? It all sounds a bit ‘Silence of the Lambs’ if you ask me.
It’s better to clearly explain what you mean without using words which people either won’t understand or could be easily misunderstood.
6. Don’t leave out core requirements
There are specific areas we’re obliged to cover. The ICO has a clear checklist for this.
What routinely gets overlooked? In my experience:
- The lawful bases relied upon. Tricky to drop in without sounding like legal speak. Using a table can help, or drop downs so those who want to delve into this detail can.
- Legitimate interests – remember we’re told to tell people what our legitimate interests are.
- The right to complain to the ICO.
- Who personal information is shared with.
- International data transfers.
7. Don’t leave it out because it’s too difficult to write down
There’s an art to explaining complex stuff simply, and this is one of those occasions where it pays to learn.
8. Don’t hide it
Sometimes I search high and low on websites to find the privacy notice. Why not just provide a link in the footer on every website page? And don’t make the font so small I have to scramble for my reading glasses (yes, my life really is that rock’n’roll). Privacy information shouldn’t be hard to find. Again, when something bad happens, do you really want someone alleging you were deliberately trying to hide it.
Clarity, being concise, using plain English – it’s obviously subjective
You know your customers better than anyone and you want to keep them. So reflect this in the way you present your privacy notices.
Try them out on your friends and colleagues who don’t work in your world. Do they understand them? Stress test, your notices before you publish them – and why not keep a note of that too? Demonstrating good faith and recording your decision-making is never a bad thing.
Let me know what does or doesn’t work for you – best practice is what we’re all about.