Your privacy policy (aka ‘privacy notice’) is the main way you tell visitors to your website how you process their personal information.
How to make sure your privacy policy is clear and legally compliant
Follow these simple tips to help ensure that your privacy policy is clear and legally compliant.
1. Double-check your data subjects
The law says you need to provide data processing information to all the categories of people whose personal data you process. Your website privacy notice is a great way of doing this and, for many organisations, the main way.
Don’t be tempted to limit your website privacy notice just to the information you process about your website visitors, however. It is likely that you process personal data relating to customers, suppliers, referrers and other people that your organisation interacts with. You need to provide each of them with an explanation of what you do with their personal data. If you’re not telling them using a different method then your website privacy policy is usually the best place to do it.
You also need to provide processing information to your staff, contractors and job applicants. It’s best to keep that information separate from your main privacy policy (particularly because some of the information might be confidential).
2. Teach the reader how you use their data
Rather than your privacy policy being a repository (knowledge dump) for everything you do which is data protection related, think of it as an opportunity to teach your data subjects what you do with their information. Clearly explaining your data processing activities shows that you have a good handle on your legal compliance. You can also show off a bit of your organisational culture and personality in doing so.
Some good techniques are to:
- Use smart formatting. Consider using a ‘layered’ approach by having key information immediately visible and inviting the reader to click to see more detailed information on a particular point. That way they can speed read the sections which are important to them.
- Avoid using lots of legal language. Data protection law can be complicated but most of the basics can be explained in plain English. If your organisation has a more informal communication style then use that to your advantage.
- Arrange information in tables. This is really effective when listing the types of data processing you carry out, the categories of data you process and your lawful bases for doing so. The reader can quickly scan down and across to find the information they need.
- Don’t fire and forget. Once the policy goes live, double check all the formatting and adjust as necessary. Broken links and inconsistent fonts don’t give the impression that the policy is taken seriously or that it is regularly maintained.
3. Don’t forget about cookies!
If you use cookies on your website then you need to think about your cookie consent. Cookies which aren’t strictly necessary for your website to function can only be set on a visitor’s device if they’ve given their prior consent. This usually means clicking a button or ticking a box on a cookie consent pop-up or banner.
Data protection law says that consent needs to be ‘fully informed’ for it to be valid. This means you should clearly explain to the user:
- what each cookie does;
- how long each cookie is set for; and
- if it’s a ‘third-party cookie’ (e.g. a cookie you set on behalf of another domain, like Google Analytics cookies or social media tracking cookies) who the third party is and where the visitor can find their privacy policy.
Best practice is to include this information in a separate cookies policy which you link to when you ask for cookie consent. Don’t be tempted to squeeze the cookies information into an already-lengthy or hidden away privacy policy. That’s because the ICO says:
“You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.”
4. Be specific about your legitimate interests
Having a ‘legitimate interest’ is one of the bases you can rely on to lawfully process personal data. It’s also one of the most common.
However, the law says it’s not enough just to say that you’re processing personal data because you ‘have a legitimate interest in doing so’. Rather, you need to go one further and actually explain what your specific interest is for that type of processing. Here are some examples:
“We have a legitimate interest in keeping you up to date with our sales, offers, competitions and new product releases which we think will be of interest to you.”
“We have a legitimate interest in creating and keeping records which contain your personal data so that we can more efficiently operate our business.”
5. Name your EU representative (if you have one)
A recent change to the law is that if you are UK-based but process personal data of individuals in the EU then you may need to appoint an EU representative. One of your representative’s key responsibilities is to pass on any correspondence received from the European data protection regulators.
Once you’ve appointed an EU representative you should be naming them in your privacy policy along with their contact details. Failing to do so could get you into trouble.
Don’t have a European representative or not sure if you need one? Have a look at our short blog “Do I need to appoint an EU representative for data subjects living in the EU?“.
Have I missed anything?
This is only a selection of the key points you need to include in your website privacy policy, it is not a comprehensive list. The Information Commissioner’s Office has produced a simplified checklist which you can work through to ensure you’ve got everything covered. The precise requirements are set out in Article 13 and 14 of the UK GDPR, if you want to read exactly what the law says.
Any questions?
Hopefully these tips have helped you but if you have any questions relating to your privacy policy or data processing in general then please contact me. We can advise you on a whole host of data protection issues ranging from writing your privacy policy all the way up to advising on complex international data sharing frameworks.