Privacy policies protect both the business and your customers

Jan 27, 2020


If you read Part 1 of this series, you’ll know that we talked about how a privacy policy helps build trust with your customers and enhance the reputation of your brand when using personal data. The process of creating a privacy policy is such that it makes us think about what we do with data, and ensures that we communicate this effectively to those individuals and organisations that need to understand this.

One of the single most important principles of the GDPR is Transparency, and a key document to demonstrating this is your privacy policy. Regulators expect organisations to provide certain information explaining how the business will use any personal information they collect, how the “data subjects” and regulators can contact you, and how the “data subjects” can exercise their rights.

The GDPR also sets other expectations such as “appropriate technical and organisational measures”, and your Privacy Policy ought to list these alongside your processing activities, further strengthening transparency and trust in your use of information.

A well-crafted Privacy Policy will protect you and your business by ensuring that it is clear what you do with information and why, allowing a free and informed choice to be made about sharing information with you. It will also help in any potential liability claims by addressing disputes by setting the expectations of all involved.

When thinking about what processes you undertake and what personal information you process, you’ll need to include the more obvious “identifiable” attributes such as names, addresses, email addresses, and anything by which your users can be identified directly; and also those indirect attributes such as Cookies, IP addresses, Device ID’s or Vehicle Registration Number which initially may not identify the person, but could in future, identify that person when combined with other data you have, or could reasonably come into possession of.

When was the last time you read a Privacy Policy?

It is highly probable that many of us will ever read an entire privacy policy, unless like me, you’re conducting research or are advising a client.

So, you might be asking, what makes a good privacy policy?

1. Ensure compliance with the law and certainly written in the ‘spirit’ of the law.

The GDPR sets out some specific requirements for what constitutes transparency, information which should be clearly available in your privacy policy;

    • It should state that you are a Data Controller for the information you collect and include your contact information
    • State in general terms the processing you undertake including the legal basis you rely upon to undertake that processing
    • The broad categories of data you process, and if you don’t get this from the individual directly, from where you obtain it
    • Who will use or access the information, or who you will share it with and why?
    • The individuals rights and how to exercise them

2. Don’t use technical jargon or legal speak. Your privacy policy should be easily understood by anyone who needs to understand it, and you could be deemed to be unlawfully processing information if you cannot demonstrate it as understandable by a reasonable majority of people.

3. It must be relevant to your business. There are examples filtering through the Information Commissioners caseload now where the business has merely copied someone else’s policy, or used a template, but failed to make it tailored to their own business.

The law requires that if you collect data, you can demonstrate that the individual has read, understood and accepted your privacy policy. If that policy is structured such that it encourages individuals to simply “scroll to the bottom and click accept” as has become the norm, it is likely to be considered to not meet the principle of transparency. People will not read it!

Depending on your business’s activities, size and use of data, there will undoubtedly be a lot of information to get across and how you present this will be very important. It should not be cluttered with legal jargon or irrelevant information, should be easy to find and the content easy to navigate. For example, if I visit your website to place an order, I should be able to easily see what you do with data when I place that order.

This may mean splitting your Privacy Policy, having separate ones for Consumers, Business Relationships, Employees and Suppliers, or even as is the case of one of our clients, separate policies for each division of their business.

Finally, there’s the matter of where your privacy policy should be. The only rule is it must be available to the data subjects, to drive that informed choice, at the point you collect their data.So;

  • If you collect data on your website, it should be on your website
  • If you collect data in reception or at a store front, it needs to be printed or otherwise made available at that location
  • If you obtain data via a third-party (for example you run an Amazon or eBay store), you need to ensure that your policy can be accessed from those suppliers

It is that third point which also ties in your due-diligence processes, particularly where third-parties are used to supply goods, services or functions for your business, including payroll administration, website hosting, data storage, confidential waste management, and IT management.

Providing you’ve got the content right and structured your privacy policy(ies) well, you will be well on the way to demonstrating a brand that can be trusted, one that will make you stand out above the crowd and make people want to work with you or use your brand.

If your privacy policy oozes confidence in what you do and how you do it, it will resonate with the readers. You’ll be seen to be being responsible and professional, which can only be a good thing!

In the final part of this three-part series, I look at some examples of best-practice privacy policies, and a few less appropriate ones which could see the owners fall foul of the law ….

Contact Us

If you want to discover how you could do more with
your data, get in touch with Xynics.

Get In Touch