Disclaimer: It is important to note that while we have checked our sources and are confident in our interpretation, this article does not constitute legal advice.
It is estimated that the average person would use 244 hours of reading time if they read the privacy policies of every website that they visited within a year. [Source: McDonald and Cranor] – but let’s be honest many of us don’t. But Privacy policies have become a hot topic as of recent.
On 25 May 2018 all processing of personal data related to EU citizens by organisations will have to comply with the EU General Data Protection Regulation (GDPR) and as result, companies are being presented with an opportunity to reform their privacy policies – because people will actually be reading them.
Known for their complexity and length (ours is currently 974 words), the GDPR aims to make privacy notices easier to understand for the reader before they hand over the keys to their data.
The basics of a Privacy Policy.
The key focus of any privacy policy is ‘clarity’ and ‘transparency’. Businesses need to provide a privacy notice that is:
- Concise, transparent, intelligible and easily accessible*
- Written in clear and plain language, particularly if addressed to a child
- Free of charge
The majority of companies like yours should already have a privacy notice that reflects this and it’ll almost always be accessible online.
So what’s changed?
The GDPR places a greater emphasis on when and how you present this information. A generic web page that is a catch-all explanation will no longer be suitable.
Your notice will need to provided to data subjects at the point of collection and will need to specify a number of things. But fear not, there are a number of techniques you can use without overwhelming your users. In fact, the ICO believes its good practice to use a number of techniques when presenting your privacy policies.
Step 1 – Reviewing your Privacy Policy
A business is only as good as its data; a common saying and this is an ideal time to ‘get to know’ the data your business collects and stores as well as how it can be removed when requested. It’s time to ask questions about your data – perform an audit.
Without asking these questions, you could find that some information may be missing from your privacy policy.
Step 2 – Let’s not forget about Who
Who uses this data? While you may think it’s just the business you’re dealing with, many will share data with third parties in order to provide a customer-facing service.
Sharing data doesn’t just mean selling information commercially but also using third parties to deliver extra services. For example, an e-commerce store will collect information about their customers’ but use a company like Esendex to deliver an SMS order confirmation.
With this in mind, this e-commerce store must inform their customer that in order to receive SMS confirmations, some of their data will be passed to a third-party. This can be done through the simple addition of a hyperlink within the privacy policy to the third party providing reasonable assurances to the prospect or contact.
Of course, our customers can rest assured that we’re not sharing data with any unnamed third parties and therefore there will be an onus on us to ensure that continues to be communicated as we will do through our privacy policy and compliance initiatives like ISO 27001.
Step 3 – How does this affect business communications?
Talking to your customers is a fundamental part of businesses. Specific rules apply under the Privacy and Electronic Communications Regulations (PECR) that apply to marketing communications, cookies as well as privacy. These too, will be replaced EU wide with the ePrivacy Regulations which will come into action after GDPR.
Instant and social media messaging services (OTT apps) such as WhatsApp, Messenger and VOIP providers like Skype will also fall under these same laws as more traditional methods of direct marketing i.e emails, telephone calls and SMS.
Step 4 – So what should a privacy policy look like?
There are numerous ways to present a privacy policy and it’s important that it reflects your business. A generic statement that uses complicated vocabulary will not cut it. Channel 4 does this very well in their ‘Viewers promise’ which uses a light tone and video to explain their intentions behind their data requests.
Messaging app Telegram, although longer than some policy notices, is clear and easy to understand. By dividing their policy into four specific sections, Sharing data, Storing data, Deleting data and Payment information, users are able to quickly find the information they need.
The ICO focuses on two types of approach:
The ‘just in time’ approach
This example provides a quick explanation as to why this information is being asked for at the point of collection.
When a user interacts with a data field, the reason you’re collecting that information can be presented clearly next to their submission. This is a simple option that most form building software can provide already.
The ‘layered’ approach
This can help you provide the necessary information when space is limited.
With layers, you can continue to add more information as the customer clicks through – integrating with the customer journey.
It’s always recommended, regardless of which style you choose to use, to direct the recipient to the full privacy policy, in all call-outs.
In conclusion
While existing customer communications will be able to continue where a legitimate interest exists, this must still be communicated in the privacy notice.
For any new relationships, the ICO recommends it being good practice for the business to put themselves in the positions of the people they’re collecting information about.
If an individual would not reasonably expect what you will do with their information, they will need to actively provide privacy information, rather than simply making it available for them to look for themselves – we will explore how Esendex is revisiting our privacy policy in a future blog post.
