- DPO's Blog
By Klara Lee
Tue 22 September 2020
When you’re collecting, storing or using personal data, it’s essential that you tell individuals exactly how you’re doing this and what it means for them.
We've put together the below to help you write a stellar privacy notice, suitable for all organisations.
Remember: you have to comply with both GDPR & the ePrivacy directive
This is because when a data privacy issue is raised, especially if it’s related to communications, regulators will go straight to the ePrivacy directive.
The ePrivacy directive has been in effect since 2002 and was updated in 2009, and it’s rules supplement GDPR - the two go hand in hand.
The ePrivacy directive requires ‘transparency’ and ‘affirmative consent’ to tackle problems like spam, excessive profiling and behavioural advertising. It also addresses the confidentiality of e-communications in more detail. For example, Facebook messenger or Whatsapp. It also addresses the monitoring of internet users using tracking technologies like cookies.
- Your contact details: For example, your business’ postal address, phone number, and email address.
- What type of information you have For example, name, location, or search history.
- How you get the information and what you do with it: For example, 'you provide us with most of the information we process because we need it to do X. We also gather information from third-party Y to do Z.
- The legal bases we rely on: You need at least one legal basis for why you’re processing personal data. There are 6 legal bases: consent, contractual obligation, legal obligation, vital interest, public task, legitimate interests. If you rely on ‘consent’ you need to display it clearly and prominently and include a separate unticked opt-in box for direct marketing. If the legal basis is ‘legitimate interests’ you need to provide details of this, for example, 'we advertise XYZ’s products to you based on your order history on our site'. You can combine points 3&4 and display them in a table to make them easier to understand!
- How we store your information: For example, 'your information is securely stored [location]. We keep [type of personal information] for [time period]. We will then dispose of your information by doing X'.
- Your data protection rights: Remember that the right to object should be presented in an isolated form not just hidden in the bulk of the text, for example, 'your rights are the right of access, rectification, erasure, restriction of processing, object to processing and data portability. Here’s how you can object to processing…'
- How to complain: For example, 'if you have any concerns about our use of your personal information, you can make a complaint to us at [contact details for data protection queries]. You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF'.
Our top tips
These are the areas we see a lot of privacy policies fall short in, so make sure you do the following:
Be transparent and precise
For example, 'we will retain your browsing history for advertising purposes.' Avoid using the following phrases: ‘we may…’ (either you do something or you don’t) or ‘we keep your personal data for as long as necessary’ (your organisation needs a specific policy in place for data storage so please share it). If you only do something in specific circumstances, be specific about what those circumstances are.
Consider a layered approach
Rather than pages of information that most people do not read, you can use pop up boxes on the website to display your privacy notice so that information is easier to follow, or use just-in-time notices, videos, icons and symbols and privacy dashboards.
Write in a style your audience would understand
You need to identify ideally by name, or category, any recipients of the personal data you’re collecting.
Please avoid saying: ‘we share your personal data with trusted third parties’, this is classed as ambiguous language under GDPR, be clear about who you share your users' data with.
After roll out
Final thoughts 💭
Unfortunately, many organisations don’t fully comply with both GDPR and the ePrivacy directive when writing their privacy policies and don’t implement tips like layering their privacy notice or writing their policy in a style tailored to their audience.
But, privacy policies are really important. Writing a good one can help you stay out of trouble if there’s ever a privacy complaint against your organisation, and it shows your customers that you rightly take the protection and security of their personal data seriously, increasing their trust in your organisation.
If you have any further questions, let us know, our support team would be more than happy to help!