By now, we all know what the GDPR is bringing (come May 2018). It brings clarity and transparency to the consumer, along with more control over how their personal data is collected, stored, shared and used.
Privacy policies should exist if your company collects data, to set expectations to the consumer on the journey their data might take, and how it will be used. In the past, we’ve seen lengthy, jargon filled pages with no way to easily dissect the information provided.
“Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR).” The ICO
The GDPR on privacy policies
The GDPR says that the information you provide to people about how you process their personal data must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge
Keep this front of mind when writing your privacy notices and align to your house style. You want the information you provide to fit with your company ethos and your tone of voice, if you have in-house copywriters, they can help to fit the language with what your customers would expect. If you don’t have in-house copywriters, our team can help make sure your policy is on brand and shares the information needed to be GDPR compliant.
Have you considered UX?
How can you make your page clear?
As a rule of thumb, avoid clumping the lengthy information in one solid block. Instead, break sections out clearly using headers, sub headers and clever spacing to bring order and simplicity to the page. Another option is to use expandable headers which will be displayed in a simple bullet list, making scanning the page much easier for the user and allows them to find the information they need much quicker.
Further clarity for data capture forms
We’re seeing the use of just-in-time notices, these works by displaying further information when it’s relevant. These notices can really help to balance information and simplicity, whilst not overwhelming the consumer.
Round up - Our favourite UX examples
These notifications appear immediately when you click on selected form fields. They are great at building trust between users and uSwitch, pro actively explaining why they collect certain bits of personal data
Expandable text boxes
Introduce your company – give clear contact details as well as stating what data privacy means to you as a company.
All companies should be ethical and reliable when it comes to data privacy and this is something you should let your customers know. We suggest including the following:
- Short introduction
- Business Disclaimer
- Company name and address
It’s best to start with a summary of what personal data is. A quick summary will do, but it all helps to get across total transparency so there is no confusion between you and your customers.
As well as summarising what personal data is, we’d recommend answering the following:
- What data do you collect?
- Why do you collect that specific data?
- Where do you collect data and how?
- How does the data help support your marketing activities?
- Where do you keep the data you collect?
- How do you ensure the data is kept safe?
What is personal data?
Personal data refers to data which relates to a living individual who can be identified from the data held. We take the protection and respect of
How do you use the data you collect? Describe this in detail, using clearly defined sections so readers can easily find information that is relevant for them. We’d also recommend providing a short summary if this information upon sign up.
Third-parties & software
Do you share any of the data you collect? If so, you must explicitly tell people at point of consent as consent must be given for use by all third parties. If you use a third-party service provider that won’t contact the consumer directly but will be helping you to carry out a service, you can provide additional information. This helps give complete transparency and promotes trust, but isn’t a direct requirement of the GDPR.
Describe the existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
Include a description of how you use personal data to carry out marketing activities, as well as what information is used.
You should also provide information on how users can opt-in and opt-out of your marketing campaigns and if you use thirdparties. It’s best practice to also describe the software that you use and link to their privacy policies if necessary.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Describe what measures you take to make sure all data you hold is accurate and up to date. Tell users that individuals can correct their personal information if it needs updating or is incorrect.
Inform the user on your retention period for holding their personal data, or describe the criteria used to determine the retention period.
Security and access
Highlight the steps your organisation takes to safeguard personal information in the event of a breach. What are the actions your company will take to limit risks?
Include your policy on an individual’s right to access their own personal data. Include contact details so users know who to contact and describe how the information will be provided.
Summarise by highlighting Data Controller details and your Data Protection Officer (if applicable) along with contact details.
- Include contact information
- How to raise a complaint
Privacy and data protection can be daunting. If you aren’t sure where to start or want help updating your existing policy in time for May, don’t hesitate to get in touch. Our team have some great experience writing a number of different policies and hold an IDM Award in General Data Protection Regulation so you can rest assured knowing your website is in good hands.
- Be really transparent with what you include, the more detail – the better!
- Think about usability of the page, UX design shouldn’t be an oversight
- Don’t forget to include a company disclaimer, as well as a brief summary on the ethos around your data outlook