Writing a privacy notice – a key part of GDPR compliance
12 Nov 2017
Setting consumer expectations as to how personal information will be used is a stepped process and one that will often use a range of media and communication channels to outline and describe data processing activities.
Initial expectations will most likely need to be set at the point of sign up, or when data is captured.
Fully informing the individual will inevitably require clear sign posting to an accessible privacy notice.
In a world of increasing data privacy concerns and the role GDPR plays in it, the privacy notice will be elevated considerably in the consciousness of those business stakeholders responsible for ensuring data protection and privacy compliance.
The privacy notice will be a principle tool in generating trust in an organisation’s capability to effectively handle and process any information that is tracked or collected.
GDPR holds businesses accountable for their ability to operate compliantly, safeguarding the regulation’s underlying principles and being able to show evidence for such.
Personal data must be processed in a fair, lawful and transparent manner.
The essence of this principle is clearly called out by the DMA’s CEO Chris Combemale:
"Transparency means telling the customer what you are going to do with their data and the benefits they get in return”
The privacy notice is a key component in outlining exactly who will be using data, the context in which it will be used thus informing and further shaping the data subject’s realistic expectations.
There is a fundamental obligation to tell data subjects what their personal data will be used for and the privacy notice is where a business must showcase and record such activities.
How should they be written?
Typically when thoughts turn to the privacy notice it has often been deemed acceptable to rely on a boilerplate approach, often represented by a lengthy impenetrable document written in legalese to reflect its importance, although perhaps more realistically to discourage examination and challenge.
As GPDR seeks to empower the consumers’ privacy and data protection rights, no longer can a business obfuscate the uses to which an individual’s data will be put.
A great place to start is by using plain English to write the notice.
Case study: Instagram
Earlier this year, the Children’s Commissioner released a report entitled ‘Growing Up Digital’ outlining the need for children to be better prepared for the online world, and that when using the internet they can be ‘open yet not vulnerable to having their personal information captured and monetised by companies.
The rights enjoyed by children offline must be extended online.’
The commissioner very much expects the intent of the GDPR to apply to children and a telling exercise explored the extent to which children, a core app user segment, understood Instagram’s T&C.
Understanding was predictably limited and when asked if privacy rights where clearly stated the following was noted:
‘I don’t know due to the sheer volume of writing and the lack of clarity within the document’ Sam 15yrs old.
The law firm Schillings re-drafted the T&C in plain English in order to simplify the content and the level of understanding across the younger user segment was transformed.
‘I’m deleting Instagram because it’s weird’ Alex, 13 yrs old.
Plain English works.
The lesson that can be taken from an exercise such as the Instagram re-write is that if a child under 16 years old can understand how an organisation will treat their personal information, should this not be an objective for all privacy notifications where transparency and managing data subject expectations are essential?
It’s extremely easy to evaluate readability and a useful online tool called Readable exists to enable the scoring of any text using a commonly accepted model called Flesch Kincaid. This model scores text on a scale of 1-100 where anything between 30-50 is considered difficult to read. If you can aim for a readability score of 60 which is suitable for 13 to 14 year olds, then your privacy notice stands a better chance of being properly understood.
Privacy Notices assessed
A quick peek at the following 5 brands and their scores might highlight areas for improvement or confirm that key privacy notices are clearly articulated:
EasyJet score - 54.7
Netflix score – 35.5
Apple score - 36.2
Snapchat score – 49.6
eBay score – 37.5
Privacy policies needn’t be characterised by endless copy.
The following two examples explore other means to showcase key privacy and service messaging:
It’s worth taking the time out to review your own business’s privacy notice in its current format and check to see how accessible it is.
Many businesses will be undertaking a raft of changes to align with GDPR and privacy notices will come into sharp focus, so ensure any updates in the pipeline don’t take the language used and its understanding for granted.