As a requirement for valid consent, privacy notices should be completely revamped in most cases. The GDPR introduces several changes that aim to make privacy notices easily understandable. The aim is to have comprehensive documents that make it clear what is being done with personal data.
Therefore, legalese language should be avoided in an effort to make sure the average person understands what they are consenting to. Otherwise, consents obtained with policies that are hard to understand could turn out to be invalid. That is why we decided to compile a list of helpful tips to help you make sure your privacy notices are GDPR-compliant.
1. Introduce Yourself
As required already, a privacy notice must include the address and contact information of a person within the company. Provide a ‘human’ face to your company: let your users know whom they can turn to in case they have any questions. Make sure the contact person you designate is capable of answering the users’ questions.
You can add several ways where people can reach you: Directly via e-mail and via post, for example. Consider adding a phone number as well.
2. Explain Yourself
Tell people what you plan on doing with their data and what you need their data for. List all the use cases for their data. You won’t be able to use the data for purposes other than mentioned in the privacy notice, barring very few exceptions.
Your chances of obtaining meaningful consent are much higher if you are clear and forthcoming about your actions.
3. Provide Details
Who will have access to the data? Do you plan to use legitimate interest as your basis for processing? Will you share the data with other third parties? How long will you store the data for? Do you use profiling or automated decision making?
These are the answers you must provide. Clearly define, outline and explain the reasons for doing so. If there are potential consequences to your actions, such as with automated decision making, you have to provide the details in an understandable manner. Explain what you are doing to keep the users’ data safe. Briefly state the security measures and data protection methods you use and why.
4. Inform About Rights
Under the GDPR, individuals have plenty of rights. The rights of the data subjects must always be respected and mentioned. Never forget to state their rights to withdraw consent and seek deletion of their data. Also explain how they can object to processing or/and profiling.
5. Be Truthful
Do not obfuscate and lie. If you have to mask something unsavoury in order to get consent, maybe you should not be doing it in the first place.
For example, by saying that ‘we never share your data with third parties, except those pre-selected by us’, you are essentially deceiving the customer and betting on the fact that they’ll see the word ‘never’ and just skim over the rest. Not to mention that you have not even mentioned what third parties you will share the data with.
Similarly, don’t omit any information that you feel might be useful. Put yourself in the users’ shoes: what would you like to know? Remember, the GDPR doesn’t prohibit entering additional information into the privacy notice. If anything, it is encouraged.
6. Ensure Consistency
The privacy notice should read just like any other text on your website. Make it consistent in style and feel with any other text one could find on your site. It should be something people will not have a hard time reading.
7. Simplify, Simplify, Simplify
The GDPR is big in simplicity. It is important to make sure the average reader understands what you wrote. The privacy notice must use simple language, but not at the expense of omitting important information.
Use simple sentence structures and curb your use of ‘big’ words. It may seem like dumbing down, but the idea is to help everyone understand what’s going on without necessarily being able to understand legal terms.
8. Tailor Your Notices
You are advised to go one step further. Taking into account the ideas from #7, the authorities recommend you serve separate but equal notices to different groups of people. For example, use an even simpler form of English for non-native users. Or, simplify terms in another way for children and younger users.
Conversely, law experts can have the option to see a more detailed policy. Persons with accessibility needs could have the ability to hear a spoken version of your notice.
But make sure to make it a matter of choice: you do not want to presume anything about your users!
9. Go Interactive
A privacy notice doesn’t have to consist of a blob of text. No matter how pretty you format it, it is still a blob of text. Instead, you can opt for an interactive notice where you serve information in a piecemeal manner, step-by-step or just-in-time.
Or, you could use an animated short video to complement your privacy notice. The possibilities are endless, as long as it benefits the end-user.
The individuals will benefit significantly from these updated policies, since they will have a better understanding about how their data is being used. And the effort on the part of companies should be minimal.