The forthcoming GDPR (General Data Protection Regulation) rules that come into force in May will bring in changes to many areas of business. One critical area to look at is privacy policies and notices. In this blog post, we'll dive into the topic and discuss what you need to do as well a providing some practical examples.
However, first things first. Please don't take this blog post as a substitute for any legal advice; it's a starting point and nothing more. I've developed this approach through plenty of research and discussion along with a dash of common sense, but that doesn't mean that its 100% right or more importantly 100% right for your business. If you use this as a starting point and adapt to your business circumstances, then you'll be on to a good start. Also, I find that if you then take a draft document to get Legal advice then its more often than not a lot easier (and cheaper) than starting with a blank page.
Right, now that's out of the way. Just what exactly is the difference between a Privacy Policy and a Privacy Notice?
Privacy Policy vs Privacy Notices
A Privacy Policy (sometimes called a Privacy Statement) is usually a page on your website that sets out how you collect and process information, generally through your website. The Privacy Policy may also include some words on how Cookies are used by the site and contact details to find out more. GDPR brings in further requirements that means that your Privacy Policy page will likely need to be updated and it will be best to get legal advice on this.
A Privacy Notice is a new creation that under GDPR rules helps organisations explain to users what they can expect will happen to their data. Privacy Notices should now be displayed at the point of data collection so that users can quickly make an informed decision without wading through lots of legal text. After all, who bothers to read a Privacy Policy?
Use plain English
The new GDPR rules demand that information about processing personal data should be;
Concise, transparent, intelligible and easily accessible
Written in clear and plain language
Free of charge
So the age-old trick of just providing a link to the long, poorly written Privacy Policy as a part of the sign-up process isn't going to work. Also, you need to ask yourself a question; If I understood what the data is used for, would I sign up?
No matter how you explain it, some things just won't go down very well with your users. If that's the case, maybe its time to think again about any aggressive processing or marketing techniques. You just need to be fair and transparent.
What goes into a Privacy Notice?
So whenever you are gathering personal information (online or not), you are now going to need a Privacy Notice that explains the lawful basis for processing the data as well as a few other essential facts;
What information is being collected?
Who is collecting it and why?
How it will be used?
Who will it be shared with?
What are the data subjects rights?
How can you object or complain
How can we make this easy to understand?
As the purpose of the Privacy Notice is to provide information in an easy to use way, we may consider layering it to create a better user experience.
The first level is a headline such as 'How will we use this information about you' or 'Learn your data rights'.
Users should be able to click on the headline to reveal the next level, an expandable panel that contains more detailed information about data processing and sharing. The third level of detail is a hyperlink to the relevant section on your full privacy policy/statement if more information is required.
GDPR Privacy notice example
As well as this three-stage Privacy Notice on the bottom of every form on your website, you might want to show guidance information inside the form itself;
ICO example of in-line Privacy notices
This can be effective in clarifying why we are asking for particular personal information and how it should be used. The same layered approach applies so I would also include a link to the relevant section on your main Privacy Policy.
In conclusion
GDPR brings in a lot of new rules and responsibilities, but with a bit of careful design the new Privacy Notices should be something you can tick off your list without too much headache.