How to write a privacy notice

In this ‘Practical Privacy Series’ our aim is to give the benefit of our experience to those of you who may be building a privacy compliance programme for the first time.  You may only have a limited understanding of data protection and privacy.  Perhaps this is not your main job.  Or perhaps you are relatively new to creating and maintaining data protection compliance programmes.  It may be that you know the law, but you’ve never put it into practise before.

We appreciate that in these circumstances certain jobs may appear daunting.  Or you may want the confidence to know that you are on the right track, or that there are certain things that everyone finds tricky.  Hopefully, we can help and give you the confidence to get this right.

The big picture

Your objective is to be transparent.  You want the person reading the notice to understand what you do with their personal data, what their rights are in relation to that personal data and how they can exercise those rights.  An individual should not be surprised by what you are doing with their personal data.  We have written previously about the level of transparency required ( “Are you sure you tell people what you do with their data?”).

If this is your first step you’re doing it wrong

If you are thinking about starting your privacy compliance journey with your privacy notice, think again.  Back up.  You can’t write an effective, compliant privacy notice without really thinking about, discussing and writing a few things down first.

You need to have mapped your data flows.  These show in a visual format the way personal data is collected, stored, used and shared by your organisation.  You then need to use these data flows to create a Record of Processing Activities, sometimes called an ‘Article 30 Record’.  This records what your organisation is doing with personal data and demonstrates that you are thinking logically and holistically about your processing of personal data.  Finally, you need to have thought about who your organisation is sharing personal data with and record this.

You are now ready to write a privacy notice (or perhaps more than one).

Start with a good template

In this article we are not going to list all the things that you need to include in a privacy notice.  At The Privacy Compliance Hub, we provide these to our clients as well as a series of template privacy notices which include everything required by the law.  The ICO (the regulator in the UK) tells people what needs to go into a privacy notice.  We won’t repeat that here.  What we are trying to do is be practical and give you some helpful tips to get this right as quickly and as simply as possible.  We suggest that you read the ICO’s own privacy notice.  Boden has a great privacy notice.  You might want to take a look at the BBC’s privacy notice.  See how they all adopt a layered approach and (to a varying degree) seek to use language that their readers will understand.  They are plain and simple.  Nobody starts from scratch.  See what other people are doing.

Think about who you are talking to

You collect personal data from a number of categories of people.  Is your privacy notice going to apply to all of them?  This has the potential to make things complicated and we believe in keeping things simple.  When we drafted our own privacy policy we realised that we process the personal information of the following categories of people:

• visitors to our website;
• random people emailing us or calling us;
• our main client contacts (we call these ‘Hub Owners’);
• our clients’ staff who have access to their own Hubs (we call these ‘Hubbers’);
• our vendors and partners;
• people who respond to our online advertisements; and
• people whose personal information is uploaded into a Hub by one of our Hubbers.

We took the view that we could explain how we process their personal information in one simple privacy notice which we would put on our website.  However, we also realised that our staff and those that applied to us for jobs needed something different.  We needed to provide them with separate notices that explained how we use their personal information.  Luckily, we have templates for those within The Privacy Compliance Hub.

Your Article 30 Record is your best friend

When we drafted our own privacy notice, we realised how much simpler it is when you have already thought about what your organisation actually does with the personal information it controls.  By having data flows, an Article 30 Record and a Record of Vendors & Partners the questions raised when writing a privacy notice become easy to answer.

For example, a privacy notice needs to state the ‘legal basis’ for each processing operation.  This can be tricky when starting from scratch.  When processing contact information for your email marketing list, are you relying on the legal basis of ‘consent’ or ‘legitimate interest’?  If you already have an Article 30 Record this decision has already been made and writing your privacy notice becomes so much easier.

Think carefully about cookies, analytics and targeted marketing

This is a tricky area, even for those within what is known as the ‘AdTech Industry’.  Also, it may be that your organisation outsources a lot of this stuff and so your level of knowledge is sketchy.  On a basic level, you need to know what analytics you use on your website (Google Analytics?); what online advertising you do (Google Ads, Facebook Ads, LinkedIn Ads?); what cookies and other tracking this uses (Facebook Pixel?); and how you analyse all this marketing (CRM?).  You then need to be transparent and tell people what you are doing.  You will either do this in a privacy notice or in information you provide about cookies.  We explain more about cookies in our article entitled, ‘Cookie ban(ner)’ but you need to understand that privacy notices and cookies are closely linked because they are both about using personal information in a transparent way which individuals can understand.

Don’t assume that nobody will ever read your privacy notices

People are becoming more privacy aware.  This is a good thing because organisations can no longer abuse or ignore individuals’ privacy rights.  However, the down side is organisations need to be ready for individuals exercising their rights.  And the first steps for individuals exercising their rights is to read your privacy notices.  Get these wrong and you are immediately on the back foot, acting defensively and looking bad (despite what may be the best of intentions).  If you have a comprehensive privacy compliance programme in place, including well written privacy notices, then responding to individuals exercising their rights will be easy and lead to enhanced customer trust.