- DPO's Blog
- 4 minutes
- By Klara Lee
When you’re collecting, storing or using personal data, it’s essential that you tell individuals exactly how you’re doing this and what it means for them.
We've put together the below to help you write a stellar privacy notice, suitable for all organisations.
Remember: you have to comply with both GDPR & the ePrivacy directive
This is because when a data privacy issue is raised, especially if it’s related to communications, regulators will go straight to the ePrivacy directive.
The ePrivacy directive has been in effect since 2002 and was updated in 2009, and it’s rules supplement GDPR - the two go hand in hand.
The ePrivacy directive requires ‘transparency’ and ‘affirmative consent’ to tackle problems like spam, excessive profiling and behavioural advertising. It also addresses the confidentiality of e-communications in more detail. For example, Facebook messenger or Whatsapp. It also addresses the monitoring of internet users using tracking technologies like cookies.
- Our contact details: e.g. your business’ postal address, phone number, and email address
- What type of information we have: e.g. name, location, search history…
- How we get the information and what we do with it: e.g. you provide us with most of the information we process because we need it to do X. We also gather information from third-party Y to do Z. The best thing to do is combine 3 & 4 e.g. in a table include how you get data like their name and address, what you do with this data, and the legal basis you rely on to process it.
- The legal bases we rely on: You need at least one legal basis for why you’re processing personal data. For example consent, contractual obligation, legal obligation, vital interest, public task, legitimate interests. If you rely on ‘consent’ you need to display it clearly and prominently and include a separate unticked opt-in box for direct marketing. If the legal basis is ‘legitimate interests’ you need to provide details of this e.g. we advertise XYZ’s products to you based on your order history on our site.
- How we store your information: 🔒 e.g. your information is securely stored [location]. We keep [type of personal information] for [time period]. We will then dispose of your information by doing X.
- Your data protection rights: Remember the right to object should be presented in an isolated form not just hidden in the bulk of the text e.g. your rights are the right of access, rectification, erasure, restriction of processing, object to processing and data portability. Here’s how to object to processing…
- How to complain: 🗣 e.g. If you have any concerns about our use of your personal information, you can make a complaint to us at [contact details for data protection queries]. You can also complain to the ICO if you’re unhappy with how we have used your data. The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Our top tips 💡
These are the areas we see a lot of privacy policies fall short in, so make sure you do the following:
Be transparent and precise
For example, 'we will retain your browsing history for advertising purposes.' AVOID using the following phrases at all costs: ‘we may…’- either you do something or you don’t. ‘We keep your personal data as long as necessary’- your organisation needs a specific policy in place for data storage anyway so just share it. If you only do something in specific circumstances, be specific about what those circumstances are.
Consider a layered approach
Rather than just pages of information that most people just accept without reading, you can use pop up boxes on the website so that information is easier to follow, or use just-in-time notices, video, icons and symbols and privacy dashboards.
Write in a style your audience would understand
You need to identify ideally by name, or category, any recipients of the personal data you’re collecting.
If you just say ‘we share your personal data with trusted third parties’ STOP. Please don’t do this, it’s classed as ambiguous language under GDPR.
After roll out
Final thoughts 💭
Unfortunately, many organisations don’t fully comply with both GDPR and the ePrivacy directive when writing their privacy policies and don’t implement tips like layering their privacy notice or writing their policy in a style tailored to their audience.
But, privacy policies are really important. Writing a good one can help you stay out of trouble if there’s ever a privacy complaint against your organisation, and it shows your customers that you rightly take the protection and security of their personal data seriously, increasing their trust in your organisation 🌟
If you have any further questions, let us know, our support team would be more than happy to help!
6 must watch TED talks about data privacy
- Data basics
- Key issues
In these wide-ranging TED talks, speakers explore the ethics surrounding data, current practices, and how data could shape the world for the better.
- 3 minutes
The Data Protection Act 2018 explained
- DPO's Blog
- Data basics
In essence, the Data Protection Act is the UK’s tailored version of the EU's General Data Protection Regulation (GDPR).
- 4 minutes