At an absurd total of 6,000 words, in 2010 Facebook’s privacy policy was longer than the United States Constitution. Who’s going to read and digest all that?
The GDPR aims to tackle the problem of baffling privacy notices with new demands for clarity, so people can quickly and easily understand who you are and what you’re going to do with their personal data.
This doesn’t mean you have to completely scrap your privacy notice: you can draft a clear, snappy version which links to your longer, revised main policy.
Under GDPR, your privacy notice should answer the following questions:
- What information is being collected? Consumers should understand perhaps not every field or parameter, but they should certainly appreciate the depth of information being collected.
- Who is collecting it? Complex corporate structures and holding companies should be made clear here – what is the consumer’s ultimate recourse?
- How is it collected? Where does data go, and where is it being stored?
- Why is it being collected? What are you legitimately taking it for, and where does that legitimacy stop?
- How will it be used? And where does that usage cease?
- Who will it be shared with? Every consumer should know if their data is going to be shared with or sold on to third parties, particularly if the context of that use is different.
Consider also the effect of the answers on the individuals concerned: is it likely to give them cause to object or complain?
A sample GDPR compliant privacy notice
The Information Commissioner’s Office (ICO) provides this sample privacy notice.
When writing your privacy notice, the ICO advises you to:
- Use plain language and a simple style so everyone can understand
- Avoid legal-speak or confusing terminology
- Keep it in your house style so that it’s the approach your customers expect from you
- Align with your organisation’s values and principles so people are more inclined to read, understand and trust your notice
It also says you should:
- Be truthful
- Adhere to any sector-specific rules, such as for the marketing or financial services sectors
- Keep your privacy notice consistent across multiple platforms, and make sure they’re all updated quickly when needed. A content management system (CMS) will help.
If you’d like some help preparing your business for GDPR, check out Me Learning’s portfolio of online courses here.
Alternatively you can speak with a member of our sales team by calling 01273 499100, or by emailing us.