Out with the old, in the with the new: Privacy NoticesTopic: How-to guides
Disclaimer: It is important to note that while we have checked our sources and are confident in our interpretation, this article does not constitute legal advice.
It is estimated that the average person would use 244 hours of reading time if they read the privacy policies of every website that they visited within a year. [Source: McDonald and Cranor] – but let’s be honest many of us don’t. But Privacy policies have become a hot topic as of recent.
On 25 May 2018 all processing of personal data related to EU citizens by organisations will have to comply with the EU General Data Protection Regulation (GDPR) and as result, companies are being presented with an opportunity to reform their privacy policies – because people will actually be reading them.
Known for their complexity and length (ours is currently 974 words), the GDPR aims to make privacy notices easier to understand for the reader before they hand over the keys to their data.
- Concise, transparent, intelligible and easily accessible*
- Written in clear and plain language, particularly if addressed to a child
- Free of charge
The majority of companies like yours should already have a privacy notice that reflects this and it’ll almost always be accessible online.
So what’s changed?
The GDPR places a greater emphasis on when and how you present this information. A generic web page that is a catch-all explanation will no longer be suitable.
Your notice will need to provided to data subjects at the point of collection and will need to specify a number of things. But fear not, there are a number of techniques you can use without overwhelming your users. In fact, the ICO believes its good practice to use a number of techniques when presenting your privacy policies.
A business is only as good as its data; a common saying and this is an ideal time to ‘get to know’ the data your business collects and stores as well as how it can be removed when requested. It’s time to ask questions about your data – perform an audit.
Step 2 – Let’s not forget about Who
Who uses this data? While you may think it’s just the business you’re dealing with, many will share data with third parties in order to provide a customer-facing service.
Sharing data doesn’t just mean selling information commercially but also using third parties to deliver extra services. For example, an e-commerce store will collect information about their customers’ but use a company like Esendex to deliver an SMS order confirmation.
Step 3 – How does this affect business communications?
Talking to your customers is a fundamental part of businesses. Specific rules apply under the Privacy and Electronic Communications Regulations (PECR) that apply to marketing communications, cookies as well as privacy. These too, will be replaced EU wide with the ePrivacy Regulations which will come into action after GDPR.
Instant and social media messaging services (OTT apps) such as WhatsApp, Messenger and VOIP providers like Skype will also fall under these same laws as more traditional methods of direct marketing i.e emails, telephone calls and SMS.
Messaging app Telegram, although longer than some policy notices, is clear and easy to understand. By dividing their policy into four specific sections, Sharing data, Storing data, Deleting data and Payment information, users are able to quickly find the information they need.
The ICO focuses on two types of approach:
The ‘just in time’ approach
This example provides a quick explanation as to why this information is being asked for at the point of collection.
When a user interacts with a data field, the reason you’re collecting that information can be presented clearly next to their submission. This is a simple option that most form building software can provide already.
The ‘layered’ approach
This can help you provide the necessary information when space is limited.
With layers, you can continue to add more information as the customer clicks through – integrating with the customer journey.
While existing customer communications will be able to continue where a legitimate interest exists, this must still be communicated in the privacy notice.
For any new relationships, the ICO recommends it being good practice for the business to put themselves in the positions of the people they’re collecting information about.