As a core data privacy principle, giving information about what will be done with personal information is a common requirement in the data privacy realm.
However, the exact requirements how to notify how personal data is used, is a bit differently in each jurisdiction (US, Australia, EU etc). Even the rights people have are different based on the jurisdiction. If done without thinking about the important details, it is very easy to draft a privacy notice that is full of legalese and hard to read or comprehend. In the worst case scenario, this can mean that the organization is not compliant with the requirement to notify how personal data is used.
So, how to create a good, readable description about what is done with personal data?
- Step 1 – Take into all applicable ways the organization needs to notify people.
It is easy to provide a link to a privacy notice, however many business processes might not be so straightforward. Will the online notification work when data is collected face-to-face in an office, during a meeting outside of the company premises etc.
This will determine the medium and the build-up of the notice itself. You may want to or need to draft a single document, or maybe there are options to divide the notice into sections or sub-policies (i.e website and cookies, what rights do people have, data sharing and processors etc). Keep in mind that the notice does not always have to be a single .pdf or .doc type document – the notice can also be delivered with the use of different html functions like accords (click to show or hide) to make it easier to comprehend and navigate. Or it can also be a combination of website (sub)pages – just make sure they are simple to access.
- Step 2 – It is essential to know what information is collected and what is done with it. With no previous data mapping, the notice can be incorrect (missing stuff or plain out wrong), and it will increase the exposure to compliance risks.
- Step 3 – If you have the stomach for it (in other words trust), let the actual stakeholders provide the description of processing (what data they use and what for). They know it best and probably can explain it in more simple language. This way you can also minimize the legalese to be included in the notice. As a bonus, the stakeholders will be more aware of the organization’s privacy requirements and are more likely to be proactive when it comes to privacy topics.
- Step 4 – Use checklists to verify that all elements are included in the notice. Reading the law is one way but they have lengthy sections of text and it is easy to miss a requirement. For professional growth – create a checklist on your own and add refer to it in a relevant policy or a SOP procedure (Standard Operating Procedure).
- Step 5 – Revise the text and remove all the fuss – avoid semantics if it is not legally required, for example do not add ‘we respect your privacy and protect your data’ if it is not necessary. Wide promises make the notice longer, harder to read and can be easily seen as empty or shallow, especially when incidents are known to have happened.
Privacy notice is in essence a technical description of what and why + some details like your rights and contacts.
Good tool to use for getting aligned input for the privacy notice? Use case templates. Most popular are use case templates for business (i.e sales and customer care) and for ‘IT’. Business stakeholder describes what they want to achieve with collected personal data. The ‘IT’ stakeholder will add what is needed to achieve and support the business goals. While business input can be somewhat high level, i.e using the term ‘reasonable’, the IT’s input will be more concrete and applicable to system level. For example, the business can say that we need xyz data for customer account creation on website and for ordering products. The IT will supplement what systems are used for it. Secondly, the business want to confirm to the customer all reasonable security measures are applied to safeguard the data. IT will add details to the use case template regarding what are the details of ‘reasonable security’, i.e type of multi-factor authentication, encryption etc. This will in turn give input regarding what data is used by the organisation. Collecting customer’s phone number? -> now you know what’s the business need for it (i.e sending SMS to confirm the order from the website, as well as ‘IT view’ if the phone number is used for OTP, MFA etc).
Please note – ‘Privacy notice’ is often used interchangeably as ‘privacy policy’. Not wrong per se, but this can cause misunderstanding and confusion within the organization if there are other data related policies and procedures that stakeholders like employees must follow.