This edited extract is from How to Use Customer Data by Sachiko Scheuing ©2024 and reproduced with permission from Kogan Page Ltd.
Do you use personal data?
I bet you do because otherwise, you would not be reading this book. If your company uses personal data for marketing, accounting, HR, or whatever other purposes, you need a privacy policy.
The traditional approach to data protection and informational self-determination suggests that meaningful control of your own data is only possible if you were informed about how the data will be used.
One of the first rules GDPR lays down in its text, after clarifying the scope of the law and the different definitions, is Article 5 (legislation.gov.uk, 2016):
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
This very requirement triggers the need for a privacy statement.
Companies, in particular, when they are data controllers, must be accountable for their data use and have a privacy statement. This requirement is also spelled out in Article 24(2) of the GDPR (legislation.gov.uk, 2016).
This article covers the topic of automated individual decision-making, including profiling – not profiling for marketing that automates the selection of ads to be shown and so on, but profiling that can have a serious impact on people.
Article 24(2) says such profiling can only be compliant if an appropriate data protection policy, which includes a privacy statement, is implemented (legislation.gov.uk, 2016).
In any event, a privacy statement is an important document. GDPR dedicates two articles to list out the precise information you need to post on your privacy policy; Article 13 sets out the requirements in case you collect data directly from consumers, and Article 14 those for situations where data is collected indirectly (legislation.gov.uk, 2016).
Who Will Read Your Privacy Statement?
In the case of food labelling, it was me as a customer checking for a particular ingredient that read this. Have you ever wondered who reads your privacy statement?
Customers and prospects are one obvious group of stakeholders who are concerned about what is happening with their data once it’s in your hands. Privacy activists and consumer protection organizations may also be going through your privacy statement.
Authors and academic researchers in the field of data protection find it a great source of information, learning how companies are using personal data. Regulators, judges, and lawyers who are working on a case that involves your company also take great interest in your privacy notice.
Your corporate image is shaped by how your privacy statement reads. Customers, both in business-to-business as well as business-to-consumer markets, pay great attention to your privacy practice.
Business partners and suppliers to your company often formalize the review of your company’s data protection compliance, asking questions about your privacy statement in their due diligence questionnaires.
Whoever the readers are, it is another “touch-point” for a variety of stakeholders, including revenue-generating parties like customers and partners.
You want them to have a good impression of your privacy practices, and the first chance you have to showcase this may be your privacy statement. Borrowing the words of the ICO, a good privacy statement “helps build trust, avoids confusion, and lets everyone know what to expect.” (ICO, 2023)
How Long Should My Privacy Statement Be?
GDPR expects you to draw up a privacy statement long enough so that you can properly explain which data is collected, used, and stored. This makes your privacy statement transparent.
At the same time, your privacy statement must be concise, according to Article 12(1) of GDPR (legislation.gov.uk, 2016). These two requirements seem to contradict each other at first glance. The EU regulators, therefore, give some explanations in their guidelines on transparency (Art 29 WP, 2018).
While a privacy statement aims to give necessary information so that consumers can make decisions about their personal data, regulators are also aware of the phenomena known as “information fatigue” or “information overload.” The hypothesis is that human beings have a limited capacity to digest information.
When too much information is presented, people become overwhelmed and either ignore the information or make illogical decisions to cope with the psychological stress they experience (Simmel, 1950; Milgram, 1969).
There are two strategies to avoid this that can, at the same time, still provide all the details required.
Have A Clear Structure
Before starting to write a privacy notice, list out all the information you need to provide in it. Then, think about how you want to present it to your customers and other data subjects in a logical manner.
In doing so, you might want to read the privacy statements of big consumer brands and governmental organizations and find out how their privacy statements are structured.
There is a good chance that their privacy notices are prepared by experienced in-house lawyers or by law firms that specialize in data protection. The idea is to get the feeling of what great privacy statements look like.
You might also want to read up on the privacy statements of your competitors, as well as those of your partners in your business field.
Ask your privacy person which competitors have good reputations with regard to their data protection practices, or perhaps you already know who they are. Just take a look at how their privacy notices are structured. You can also simply adopt the structure of ICO’s privacy policy template.
Whatever you do, the key is to improve the readability of your privacy statement by giving it a logical structure.
Prepare Privacy Notices In Layers
Another approach, endorsed by the regulators, is the so-called layered approach (Art 29 WP, 2018).
Assuming that the privacy notice is going to be online, you can make your privacy policy interactive by using links, so that users can click on them when they want more information, or skip them and stay on the first-level summary information if they so wish, just as you would use an online encyclopedia.
This way, the key messages are simplified, and readers of your privacy statement will have a good overview of the first layer of the statement.
Regulators recommend the following information should be visible on the first layers of the privacy notice (Art 29 WP, 2018, p 19, para 36):
- Details of the purposes of processing
- The identity of the data controller
- Description of the data subjects’ rights
- Information on the processing which has the most impact on the data subject
- Information on the processing which could surprise them.
When Do I Have To Present The Privacy Statement?
Consumers must be informed what data is collected for, for instance marketing purposes, as early as possible.
When you are collecting data directly from your customers, you must present your privacy notice the moment you are collecting the data (see Article 13(1) GDPR; legislation.gov.uk, 2016).
In a scenario where you license the data from other organizations, such as from public sources or marketing data providers, Article 14(3)a and b require the privacy information to be provided in the following manner (legislation.gov.uk, 2016):
- within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
- if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
- if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
In short, for licensed data that is not contact detail data, the privacy notice must be communicated within a month.
If you are using contact data like names, telephone numbers, email addresses, and physical addresses, you need to communicate the privacy statement the first time you send a commercial message to them.
In practice, companies embed a link to the privacy statement in email messages or print that link on direct mail pieces to fulfill this requirement.
References:
- Art 29 WP (2018) Article 29 Data Protection Working Party, WP260 rev.01 Guidelines on transparency under Regulation 2016/679, adopted on 29 November 2017, last revised and adopted on 11 April 2018, https://ec.europa.eu/newsroom/article29/items/622227 (archived at https://perma.cc/4HWYURKL)
- ICO (2023) UK Information Commissioner’s Office: Transparency direct marketing detailed guidelines, https://ico.org.uk/for-organisations/advice-for-smallorganisations/frequently-asked-questions/transparency-cookies-and-privacynotices/ (archived at https://perma.cc/K3ZR-T7E5)
- legislation.gov.uk (2016)‘Regulation (EU) 2016/679 of the European Parliament and of the Council, 27 April 2016, www.legislation.gov.uk/eur/2016/679/contents (archived at https://perma.cc/NVG6-PXBQ)
- Milgram, S (1969) The experience of living in cities, Science 167, 1461–1468
- Simmel, G (1950) The metropolis and mental life, in K H Wolff (ed.), The Sociology of Georg Simmel, Free Press, New York, USA.
To read the full book, SEJ readers have an exclusive 25% discount code and free shipping to the US and UK. Use promo code SEJ25 at koganpage.com here.
More resources:
Featured Image: Rawpixel.com/Search Engine Journal