GDPR Week #17 - What's black & white and never read?

As you'll know, one of the key requirements of the GDPR and the new Data Protection Act is that organisations keep their prospects and customers ('Data Subjects', in legalese) informed. In fact, the first of the 8 Rights listed by the ICO is this one; the Right to be Informed.
An organisation's Privacy Statement or Notice is typically the best way for an organisation to explain how it will process data. Traditionally, from a customer experience perspective, the Privacy Statement has been irrelevant. They're lengthy (on average over 2,500 words - though iTunes' peaked at 20,000 words in 2015) and no-one reads them. But in future people increasingly will. And if it's not your prospects and customers reviewing your Privacy Statement, then rivals and and a growing band of people looking to make a living out of challenging brands' data privacy compliance will!
As is usually the case, the ICO has already provided some useful guidance on how to construct Privacy Statements. A crucial help when trying to square the circle of providing information that's comprehensive whilst still being digestible and understandable, is the concept of 'layering', which we will cover in a future week's blog. However, for now, there are two things to make a start on if you're looking to re-write your Privacy Policy:
i. The Policy needs to explain all the ways in which you intend to process personal data. So, refer to back to where you got to when you started to map how your organisation captures and uses personal data, which was the task in Week #11 ("The GDPR, week #11. 3 simple questions…")
ii. Remember that the acid test of your Privacy Policy's effectiveness is not whether it looks like other organisations', but whether your prospects and customers will understand it