Transparency is a key principle in all privacy laws* and it’s easy to see why. Secretive collection and use of personal information doesn’t usually end well. Telling people upfront what personal information you want or need, and why, helps them make informed decisions. Decisions about which organisation to interact with, decisions about which products and services to go for, and decisions about what optional information to provide (or not).
* I haven’t read every privacy law in the world but I am pretty sure it’s in most if not all of them!
Honesty is the best policy and if you don’t want to tell people what you’re doing with their information, then you probably shouldn’t be doing it.
However, there is a difference between providing information on your personal data collection and use and doing it well. Most organisations rely on a website privacy notice to do the job, many write in a legalistic fashion, and many write for the regulator. And so no-one reads them and they fail in their key task: to inform.
The best transparency is telling people what they need to know, when they need to know it, in a way that makes sense to them.
And backing it up with a stand-alone privacy notice that has everything in one place.
Write for your audience
The main rule in my view is to write for your audience. Not the regulator. What’s most important to know at any given point you ask for personal information? How can you set out the information in a way that is clear and easy to understand? A layered approach is useful for more complex or lengthy information.
Map your customer journey
Do you know all the points you ask for information and why? If you’re generally doing privacy governance well you’ll have mapped your customer journeys and interactions, know what you ask for and why, understand your lawful basis, where you keep the data and how long for, and whether you disclose it to anyone else. If you don’t know any of this, you’re going to struggle to provide accurate privacy information. Your stand-alone privacy notice should be the last thing you write, after you’ve done your data inventory, mapped your customer journey and decided what you need to say and when. You’ll find your privacy notice practically writes itself.
What to include?
Some laws set out what you have to include, but that doesn’t mean you have to slavishly follow this as the template for your headings and order. What is going to make the most sense for your audience? It might be better to mirror a customer journey, for example, ‘When you register’ followed by ‘Using your account’ followed by ‘How to update and delete your account’. It might make more sense to tackle one product or service at a time, or to reflect different audiences, such as individual users and corporate customers.
Some will argue that (at least in the UK and EU) you need to stick to exactly what the law says you have to include. I don’t believe that means word for word, especially for things like ‘lawful basis’ which means nothing to your average customer or user. If you tell them you will use their information to provide the service they have signed up for, or if it’s needed as part of legal proceedings, or to send them marketing if they agreed to it, you are effectively setting out your lawful basis. I’d be amazed if a regulator couldn’t work out the corresponding GDPR term! If you are more risk-averse though and you really want the words ‘lawful basis’ in there, you can add a section at the end of your notice called something like ‘Legal information’ or ‘Information required by GDPR’ and then you can write that section for the regulator. (This is as well as, not instead of, providing the information for your audience in a way they understand.)
Who should write your privacy information?
In some companies it looks like the legal team wrote it, in others the marketing team. In many companies it’s the privacy person or team (as the nature of their job means they have to understand all the data collection and use, and they know what the relevant law’s transparency requirements are). In my view it doesn’t matter who writes it. The author isn’t important, the content is. Is it factual? Is it accurate? Is it clear? Is it easy to find?
Have you tested it?
Getting an alternative perspective and testing your privacy information on its intended audience is a great way to see whether it’s doing its job. Some organisations carry out user testing through their customer base or by using agencies who recruit and manage testers. Some use free websites that provide a reading age for their copy. Even if you don’t proactively test, you should be open to feedback.
Keep it updated
But getting it done isn’t the end, it's the start. It’s only factual and accurate if it’s up to date. You need a review and update process to make sure it stays that way, and to incorporate any useful feedback you have received.
In summary
Ultimately, if you do transparency well you will have happy customers or users who can make informed decisions, may trust you more and will probably complain less. Happy days all round.
Photo credit: DS Stories from Pexels.