14th February 2018
GDPR: Privacy notices
The forthcoming GDPR (General Data Protection Regulation) rules that come into force in May will bring in changes to many areas of business. One critical area to look at is privacy policies and notices. In this blog post, we'll dive into the topic and discuss what you need to do as well a providing some practical examples.
However, first things first. Please don't take this blog post as a substitute for any legal advice; it's a starting point and nothing more. I've developed this approach through plenty of research and discussion along with a dash of common sense, but that doesn't mean that its 100% right or more importantly 100% right for your business. If you use this as a starting point and adapt to your business circumstances, then you'll be on to a good start. Also, I find that if you then take a draft document to get Legal advice then its more often than not a lot easier (and cheaper) than starting with a blank page.
Use plain English
The new GDPR rules demand that information about processing personal data should be;
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language
- Free of charge
No matter how you explain it, some things just won't go down very well with your users. If that's the case, maybe its time to think again about any aggressive processing or marketing techniques. You just need to be fair and transparent.
What goes into a Privacy Notice?
So whenever you are gathering personal information (online or not), you are now going to need a Privacy Notice that explains the lawful basis for processing the data as well as a few other essential facts;
- What information is being collected?
- Who is collecting it and why?
- How it will be used?
- Who will it be shared with?
- What are the data subjects rights?
- How can you object or complain
How can we make this easy to understand?
As the purpose of the Privacy Notice is to provide information in an easy to use way, we may consider layering it to create a better user experience.
The first level is a headline such as 'How will we use this information about you' or 'Learn your data rights'.
GDPR Privacy notice example
As well as this three-stage Privacy Notice on the bottom of every form on your website, you might want to show guidance information inside the form itself;
ICO example of in-line Privacy notices
GDPR brings in a lot of new rules and responsibilities, but with a bit of careful design the new Privacy Notices should be something you can tick off your list without too much headache.