Perfecting the Privacy Notice: are you doing it right?

Written by: Enzo Marquet

In this blog post, we will delve deeper towards a ‘good’ privacy notice, providing insights, best practices, and tips to help you create your best privacy notice.

Privacy Notice vs Privacy Policy

First off, a distinction must be made between a privacy notice/statement and policy. A privacy notice is an external document used to inform data subjects about the processing of their data. A privacy policy is an internal document for your employees on how to process personal data. As such, this blogpost concerns the externally oriented privacy notice.

What should you add in your Privacy Notice?

The GDPR stipulates in articles 12 – 14 that controllers must take appropriate measures to inform data subjects on the processing of their personal data, and thus the privacy notice was born.

The outline is simple, the following information must be included:

• Identity of the controller(‘s representative) and its contact details;
• Contact details of the DPO if applicable;
• The processing purposes linked to the legal basis for processing;
• If legitimate interest is relied upon as a legal basis, the controller shall also explain their legitimate interest;
• (Categories) of recipients of the personal data;
• International data transfers and the implemented safeguards;
• Retention periods;
• All data subject rights, including a link to the supervisory authority to lodge a complaint;
• The existence of automated decision-making and its logic as well as the impact on the data subject.

When the personal data is not obtained directly from the data subject, the following information shall also be provided within a reasonable timeframe, for example by e-mail:

• Categories of personal data concerned;
• Source of the personal data;
• Disclosure to other recipients.

Best practices when creating a privacy notice

Managing a privacy notice can be done in many ways, and each situation calls for a different approach. For example, a company dealing mostly with children’s data will need a vastly different implementation of its privacy notice compared to a company dealing with the recruitment of legal professionals.

The GDPR mandates that the required information shall be communicated in a way that is:

• concise,
• transparent,
• intelligible, and
• easily accessible way.

In the following, these key parameters for privacy notices will be discussed and best practises recommended. Most recommendations can also fit in the other criteria.

Concise 

A study from NordVPN  shows that it would take a person 10 hours to read the privacy policies of the 20 most visited websites in the UK. An average policy would thus take 32 minutes to read. This is of course extensively long and in contrast to the requirement of conciseness. Elaborate privacy notices create an information fatigue. How can this be improved?

1. Layering 

Not all information is relevant and people reading a privacy notice are often looking for specific information (such as contact details, purpose of processing). As such, it is a good idea to layer your privacy notice. The data subjects reading the privacy notice can then click on the title that suits their questions. An example:

Delhaize’s layered privacy policy, option 3 open

2. Different versions 

Some companies have rather complex privacy notices because they offer different services to a wide array of people (B2B, B2C, job applications, etc). An excellent practice to reduce the length of the privacy notice is to make a concise version, which addresses first-hand questions of data subjects. In a visible place in the concise version, a link can be placed to the elaborate and extensive version for the data subjects interested in the nitty gritty details.

Be careful, the concise version must still include all the obligatory information.

Transparent 

Information regarding the processing of personal data should be clearly distinct from other information on your website. Transparency revolves around being open and honest about your intentions and processing purposes.

1. Updated versions 

Often, at the top of the page, the privacy notice will mention ‘last updated at a certain date’. However, this has no added value to data subjects as it is often impossible to know what was updated.

As such, it is recommended at least to inform your current customers about any change to your privacy notice e.g. by e-mail, clearly explaining what is changing and why. Another option would be to provide a version where changes are marked in a different colour.

2. Avoid unclear wording 

Words such as may, could, possible, etc. do not contribute to a transparent privacy notice. Instead, these terms create an uncertain situation for the reader. They would ask themselves whether their personal data is effectively processed for the specified purpose.

3. Dashboard 

A dashboard provides a preference management tool, allowing data subjects to manage what happens to their personal data in one place.  Furthermore, it provides the flexibility for individuals to grant or retract consent as processing evolves or their preferences change.

Intelligible 

The criterion of intelligibility refers to the ability of the average customer to understand the privacy notice. This is linked to another requirement which mandates the usage of clear and plain language. Determine what your intended audience is (professionals, children, etc.) and adapt your writing to their understanding.

1. Use simple sentences 

Resist the urge to cram excessive information into a single sentence. Instead, aim to convey a single key idea or piece of information in each sentence.

Steer clear of overwhelming readers with an abundance of legal or technical jargon. Instead, rephrase complex terms into everyday language or offer straightforward definitions that your audience can easily comprehend.

In short, keep it simple stupid.

Easily accessible 

Any privacy notice should be easily accessible. This means you cannot hide it in the Terms & Conditions or some other place. Ensure that your privacy notice is clearly visible at the bottom/top of your webpage and link it when customers are creating an account.

1. Multiple entry points 

Finding the privacy notice should not depend on going to one specific location on your webpage. Instead, refer to it on multiple occasions such as when signing up for an account, prominently on your webpage, referring to privacy policy in other documents and in every communication you send.

2. Just in time 

A just-in-time notice is a brief message that informs individuals about how their provided information will be used, appearing at the moment they share the data. These notices are especially useful when people provide personal information during various interactions, such as on a website or when filling out a form, as they may not fully consider the implications. Just-in-time notices provide relevant privacy information precisely when needed and can be even more effective when used alongside other methods that offer detailed information for those who want it.

3. Do not forget about mobile 

Mobile devices, such as smartphones and tablets, face challenges when delivering privacy information primarily due to their small screens. To ensure clarity and readability, information on these devices should be as easily accessible as on traditional computer screens without the need for zooming.

Conclusion

Moving from an average to an excellent privacy notice can increase the transparency and trustworthiness of your business, two very important commitments in the current digital age. In this blogpost, we focused on a few key points which are often overlooked during the crafting of your privacy notice. Implementing these measures will give your business an edge over competitors and grow customer’s trust. Remember, your privacy notice is not merely a legal document, but functions as a bridge of communication between you and your customers.

By putting these guidelines into practice, you can take a significant step towards fostering a more transparent and data protection respecting future.