The top five things organisations get wrong with their privacy statements
Under the GDPR, people have the right to be informed. This obliges data processors to provide people with details about how their data will be used, and their rights to control this. Typically, you have to provide this at the point the data are collected. This means data processors need to provide a privacy statement that sets out:
• What data you collect.
• What you use it for.
• What the lawful basis for doing so is.
• People’s rights to control this.
The privacy statement must also include details of your data protection officer.
As a legal requirement, a privacy statement is an important part of GDPR compliance. They are also a great way of keeping people informed about your data processing. This makes it a useful tool for engaging with customers, suppliers and employees.
What does a good privacy statement look like?
A good privacy statement must be both comprehensive but also succinct.
While most organisations put their privacy statements online, you don’t have to – but you do have to make it easily accessible and free of charge.
Alongside covering the points above a good privacy statement is written for its audience and is used as a tool for engagement, produced in a way that they can understand.
Top five mistakes
1. Using a generic template without adapting it
Each privacy notice must be specific to the organisation. This is because even organisations in the same sector, even direct competitors, will process data in different ways. For example, some organisations use different lawful bases for the same processing activity. While this may feel superficial, it does affect how people can exercise their rights.
Generic privacy statement templates are useful. However, they must be adapted to your organisation and the data processing it does.
2. They fail to cover employees or other important areas of data processing
It is important that your privacy statement is comprehensive. However, many privacy statements fail to cover the processing of employee data, yet employees are people too.
You can set out separate privacy information for employees, but we think it is a good idea to include it in your published privacy information because:
• It is an easy way for employees to find it.
• It informs prospective employees of what data you process for recruitment and appointment purposes.
• It helps avoid version control issues by having two different sources of privacy information available.
3. They get the lawful basis for processing wrong
It is important to get the lawful basis you are relying on right when setting out your privacy statement. This is for two reasons:
• The lawful basis you rely on will impact on how you comply with people’s rights.
• Some lawful bases require different approaches to demonstrate compliance.
One of the challenges we still see is an overreliance on consent as a lawful basis, particularly as a catch-all lawful basis for all data processing. This can be a problem because consent is only appropriate as a lawful basis in some circumstances. If the data processing must be done to engage with a prospective customer (providing a quote for example) then another lawful basis is more appropriate.
Also, you may rely on more than one lawful basis for data processing throughout a customer or employee’s journey through your systems. You must think about all the things you use personal data for and define the lawful basis for each of them.
4. They are far too legalistic
Privacy statements are there to engage with the people whose data you process and to help you comply with their rights.
They are not a form of contract or a way of indemnifying yourself against a data breach or other tool to protect you from action. Yet too many privacy statements use dense legal language or contain irrelevant information.
Remembering what a privacy statement is for, and why it is required, will help you make it both comprehensive and succinct.
5. They don’t write for their audience
Privacy statements must be developed for the people whose data you collect and process, and by extension must be presented in a form that they can understand.
This means you must take care if there is any impediment to the people whose data you process understanding the information you want to provide. Examples include:
• Producing audible privacy statements for people who are partially sighted or blind.
• Considering providing translations if you often deal with people who don’t speak English.
• Using simple and straightforward language for younger people.
• Videos or animations to explain complex data flows, rather than text.
The problem here often arises from the legalistic approach described above. It can also arise because people misunderstand how GDPR rights apply to children and other vulnerable groups, or because organisations haven’t thought about who they’re writing their privacy statement for.
Free privacy statement review
At WuDo Solutions, we provide a free privacy statement review service. If you would like us to look at your privacy statement and offer you advice and some quick wins for improvement visit https://www.wudo.solutions/privacy-statement-review/ or contact us at email@example.com or 0330 221 0547
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
More About Stakeholder
WuDo Solutions – World class governance expertise
WuDo Solutions provides world-class training and consultancy services in areas such as risk management, information governance, and conflicts of interests.