Introduction – Your legal obligation
If your business determines the purpose for which personal data is being collected, then it is classed a data controller. Being an employer or handling customers’ personal data will put you into this category. Whatever the reason, a data controller has a legal obligation to inform the relevant people. In this article, it is referred to as a privacy message and it needs to tell a story describing how a business intends to process the personal data it collects.
The logic and business context
This article intends to steer you through the logic behind preparing a privacy message and to highlight its benefits in general. I do ask that you read it in the context of your business operations. Meeting the requirements of the GDPR is a risk-based approach which means the degree to which you apply the law, will reflect your risk appetite and other priorities.
Setting the tone
Although the GDPR is largely principle-based, in the area of informing data subjects, it does provide specific direction as to what must be included in a privacy message. A good one is going to be the result of a number of decisions. In effect, it becomes the pinnacle of your business’ privacy framework and it sets the tone of your entire data protection stance. Its creation is not trivial; it may take you several iterations before you meet your requirement in full. Even then, it will need to be reviewed regularly.
At the point of collection
You can take a horse to water…
It’s important to stress that a privacy message is provided for information only; it is not meant to be a contract or conditional to further interaction. It is up to your intended audience to be satisfied with the content of your message before parting with their personal data.
It is, therefore, critical that the privacy message is lawful, fair and transparent. If you get it right your intended readers will never be surprised, shocked or dismayed to learn later how their personal data is being processed. If this happens, then either your message was lacking or they did not read it properly, but in the latter case at least you did your job.
What goes in
The actual content needed is set out in the GDPR (Articles 13 & 14). The message must be prepared in such a way that it is concise, transparent, intelligible and easily accessible, using clear and plain language, especially if it’s being directed to a child. Achieving all of these aspects may seem a near impossible task because actually there is a lot of stuff you need to consider. Style of writing plus layout plays a big part in producing an effective message.
What to call it
Whatever you choose to call it, don’t confuse it or include it with the ‘Terms and Conditions’ of your business. Each serves distinctly different purposes and, in all probability, your privacy message would fail the transparency test being ‘hidden’ in another document.
For many businesses, a link to a privacy message is placed on the home page of their website. For it to be really effective the link must be easy to find, especially on any ‘contact page’ that facilitates the receipt of enquiries. Ideally, the link should be close to the ‘submit’ button for extra accessibility. This use of the website is a good way of advancing your message to the public in general, but a more specific message (I call it a privacy notice) may be needed as the nature of the enquiry matures.
There are many other scenarios which the data controller has to consider for ‘off-line’ situations. One example is at trade fairs where there will be face to face enquiries and exchange of personal data for follow-up action at business stands. In this case, having a copy of your privacy message on show at the table is just one method of helping you to meet your obligations in a relatively ‘friction’ free way. The point here is that just because it may be awkward to provide a timely copy of a privacy message, it still must be done.
Spotting the boilerplates
I have seen various privacy messages on websites that are screaming ‘I’m just a boilerplate trying to convince you that I am fulfilling my legal obligations’ when in reality, nothing could be further from the truth. Such approaches tell me that the company in question has spent very little time trying to understand what is needed which, in turn, invariably means their privacy framework is non-existent leaving that company vulnerable to complaints or worse.
The AWOL message
The complete absence of a privacy message speaks for itself and it’s not good, in fact, it’s very bad! If your company has this issue, then do not delay fixing it – it is highly likely that you are currently processing personal data illegally.
The benefits of thorough preparation
Aside from your business appearing to be doing things properly, there are much more compelling reasons why investing time in preparing (or reviewing) your privacy message is essential.
When you look at what is needed, such as stating the lawful bases for processing, you are really forced to think: ‘how can I justify what I am doing in legal terms.’ This exercise of self-questioning is actually very healthy. It will lead you naturally through a sort of ‘data discovery and justification’ process where, for the first time possibly, you might start to appreciate the full extent of the personal data you are processing, and why.
A flying start
The other huge benefit of a well thought out privacy message is that it gives you a flying start when it comes to responding to data subjects who want to exercise their rights. In the case of the ‘Right to Access’, aside from gathering the material itself to hand over, you will already be in a position to answer the basic questions by simply referring to your privacy message. The effort of resourcing the response is onerous enough, so anything that saves you time at this stage is really worthwhile.
Spare the heartache
In summary, a well thought out privacy message is worth its weight in gold. Not only does it help to fulfil your legal obligations and force you to review your privacy framework, but it will be answering the majority of questions before they are even asked by your various data subjects. If you don’t have one now or your current privacy message still refers to the Data Protection Act 1998, then it’s out of date and in need of urgent review.
Health warning: it will take resources and a few iterations before for your privacy message becomes robust and ‘fit for purpose’, but the time and energy invested in it will save you much heartache later. If you need assistance, please get in touch.
Norfolk’s Data Protection Mardler