Which is why your Privacy Notice needs to be more transparent than ever…
With GDPR Day fast approaching, clear messaging around your approach to protecting customers’ privacy and how you use their personal data has become a key focus for many companies – and now even more so thanks to the recent Facebook scandal.
As users discover that the social networking platform allowed a third party to harvest their data (and holds far more information on them than they expected such as logging calls and texts), the need for transparency has never been more important.
Compound that with the reality that most of us willingly share information online, allow our data to be freely collected by whomever we sign up with, and then spend little time, if any, actually reading lengthy privacy notices, it’s no wonder that much rests on trust and acting responsibly.
That’s why with great power comes great responsibility…
Or, rather: With great data comes great responsibility.
Being fully open, honest and transparent in declaring what data you collect on your customers – and why – is integral to building and retaining their trust and confidence. Not only that, you can also use it to proactively distinguish yourself from your competitors.
But, most of all, there’s the whole legal aspect underpinning the need for transparency, so as to comply with the GDPR…
And the most common way to do this is through your privacy notice.
Your Privacy Notice is your commitment to protecting your customers’ data.
If you collect personal data, the GDPR demands that it be processed fairly and lawfully, and that your privacy notice is crystal clear in meaning.
It needs to explain to users at the point of data collection what they can expect will happen to their data – mainly, what will be done with it, by whom, and who it’ll be shared with.
Your Privacy Notice and key points to remember…
So, if you’re reviewing your Privacy Notice or are yet to still write one, here are some key pointers to help ensure you’re complying properly:
- To process data fairly and lawfully, the data controller has to make clear (at the point of collection):
- who the data controller is;
- the purpose(s) for which the information will be processed; and
- any other information that’s necessary to enable the processing to be fair.
(NB. This applies whether the personal data was obtained directly from the data subjects or from other sources.)
- To ensure fairness, you need to:
- use the data in a way that people would reasonably expect
(and, if unsure, undertake research to understand what those expectations are);
- consider the impact of your processing – what effect it may have on the individuals concerned and whether it could cause them to object or complain.
- Your Privacy Notice must be concise, easy-to-read in clear and plain language, and make users aware of the salient facts, such as:
- What information is being collected.
- Who’s collecting it.
- How it’s being collected.
- Why it’s being collected (i.e. what your legal basis is).
- Where their data is going to be held and by whom.
- How it’s going to be used.
- Who it’ll be shared with.
- How long it’ll be held for.
- You still need to be fair and transparent even if you’re likely to accrue data that hasn’t been consciously provided by users (e.g. via tracking analytics or inferred from profiling algorithms).
Admittedly, it is more challenging to provide privacy information in these instances, so you may want to consider carrying out a privacy impact assessment (PIA – a way of assessing and mitigating privacy risks involving personal data).
- Your notice should give users appropriate control and choice – by explaining what you are asking them to agree to and why.
- It should give people a genuine opportunity to exercise their choice – meaning that it must be freely given, specific and fully informed.
- It should allow people to withdraw their consent at any time (with you having procedures in place to action and record this when this happens).
- It should be accessible so that users routinely have greater choice and control over how their personal data is used.
For instance, using a blended approach providing different ways for users to be reminded of and access your notice; in a digital context this can include all the online platforms used to deliver services.
If you’d like to discuss any issues or need a hand on how to approach or write your privacy notice, please get in touch. We’re here to help!
In the meantime, though, we need to return a couple of marketing calls left on 1st April – Ben Di Bahnarnas from Exotic Fruits Inc and Mike Hardigan-Fitzbaddely from HangLoose Ltd.
Privacy aside, whoever would have thought it?
Until next time…