What to include in a privacy notice - GDPR series

What to include in a privacy notice - GDPR series

7th December 2017 in GDPR

With GDPR enforcement just around the corner, businesses across Europe (and the world) are assessing the ways they collect data, and the privacy notices that sit alongside them.

In our summary of GDPR and how it will affect digital marketing, we mention the importance of using privacy notices on your website. So now you know that you need one, we’re ready to delve deeper into what a privacy notice actually is…

What is a privacy notice?

A privacy notice helps people understand how their personal data is used and make informed decisions about whether to share their data on the back of this knowledge.

Simply put, you need to make sure you tell your website users (data subjects) how you are going to use their data before they give you it.

You can’t do this by simply providing a link to your privacy policy anymore.

Why you need to use privacy notices

GDPR is all about making the world of personal data processing fair and more transparent. Gone are the days of organisations being able to stand by the belief that they “earned” your data, so they can do what they like with it.

Personal data is owned by the individual, not the organisation it has been given to.

As the ICO says, “Being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”

What you need to include in a privacy notice

Under the GDPR, the information you provide about how you process people’s personal data needs to be:

  • Concise, transparent, intelligible and easily accessible
  • Written in clear, plain language (especially if you’re addressing children)
  • Available free of charge

You need to include a privacy notice everywhere on your website that you collect data. It’s essentially a condensed version of your privacy policy that’s tailored to each specific data capture.

When writing a privacy notice, be sure to address the following:

  • What data are you collecting?
  • Who is collecting the data?
  • Will it be shared with any other organisation? Who? (Name them.)
  • Why are you collecting this data?
  • How will you use it?
  • Can they opt out of you using their data later down the line?
  • Include a link to your full privacy policy where users can read about the above in further detail.

What does a privacy notice look like?

Writing your privacy notice should be easy enough - but how should it be presented?

There are two ways to format a privacy notice that the ICO supports.

Layering

The first ICO advocated approach to presenting your privacy notices is through layers.

Layers allow you to provide as much information as you need to in your privacy notice clearly and effectively, without taking up too much space.

Privacy notice layering - Applied Digital Marketing

The first layer can be a headline such as our “Relax, your data’s safe with us.” Or the ICO’s example, “How will we use the information about you?” Followed by the second layer, collapsable information about data collection and processing. The third layer can then be a link to your privacy policy or a page where users can find more information.

Privacy notice layering - Applied Digital Marketing

Just in time notices

The second example from the ICO of how to display your privacy notice is through the use of a just in time notice.

As shown below, when a user interacts with a data field, the information about how you will use that specific piece of data appears.

Just in time privacy notice - Applied Digital Marketing

They can then decide if they want to continue, or they can follow a link to read more about how you process user data.


Updating your privacy notices to be in line with GDPR requirements doesn’t need to be as intimidating or complicated as it may initially seem - the focus is all on transparency.

Further information about privacy notices from the ICO can be found here:

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/where-should-you-deliver-privacy-information-to-individuals/

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/your-privacy-notice-checklist/

Or you can take a look at our privacy policy here!

More from the blog