1. Double-check your data subjects
The law says you need to provide data processing information to all the categories of people whose personal data you process. Your website privacy notice is a great way of doing this and, for many organisations, the main way.
2. Teach the reader how you use their data
Some good techniques are to:
- Use smart formatting. Consider using a ‘layered’ approach by having key information immediately visible and inviting the reader to click to see more detailed information on a particular point. That way they can speed read the sections which are important to them.
- Avoid using lots of legal language. Data protection law can be complicated but most of the basics can be explained in plain English. If your organisation has a more informal communication style then use that to your advantage.
- Arrange information in tables. This is really effective when listing the types of data processing you carry out, the categories of data you process and your lawful bases for doing so. The reader can quickly scan down and across to find the information they need.
- Don’t fire and forget. Once the policy goes live, double check all the formatting and adjust as necessary. Broken links and inconsistent fonts don’t give the impression that the policy is taken seriously or that it is regularly maintained.
3. Don’t forget about cookies!
Data protection law says that consent needs to be ‘fully informed’ for it to be valid. This means you should clearly explain to the user:
- what each cookie does;
- how long each cookie is set for; and
4. Be specific about your legitimate interests
Having a ‘legitimate interest’ is one of the bases you can rely on to lawfully process personal data. It’s also one of the most common.
However, the law says it’s not enough just to say that you’re processing personal data because you ‘have a legitimate interest in doing so’. Rather, you need to go one further and actually explain what your specific interest is for that type of processing. Here are some examples:
“We have a legitimate interest in keeping you up to date with our sales, offers, competitions and new product releases which we think will be of interest to you.”
“We have a legitimate interest in creating and keeping records which contain your personal data so that we can more efficiently operate our business.”
5. Name your EU representative (if you have one)
A recent change to the law is that if you are UK-based but process personal data of individuals in the EU then you may need to appoint an EU representative. One of your representative’s key responsibilities is to pass on any correspondence received from the European data protection regulators.
Don’t have a European representative or not sure if you need one? Have a look at our short blog “Do I need to appoint an EU representative for data subjects living in the EU?“.
Have I missed anything?