The Significance of a Privacy Message - a Business Perspective

  • The GDPR Article 12
Phil Brown, Norfolk's Data Protection Mardler

Your legal obligation

If your business determines the purpose for which personal data is being collected, then it is classed as a data controller. Being an employer or handling customers’ personal data will put you into this category. Whatever the reason, a data controller has a legal obligation to provide a fair processing notice which explains how it handles personal data, normally at the point of data collection. In this blog, I refer to this as a privacy message but other titles are used.

The logic and business context

This blog intends to steer you through the logic behind preparing a privacy message and to highlight its benefits in general. I do ask that you read it in the context of your business operations. Meeting the requirements of the GDPR is a risk-based approach which means the degree to which you apply the law, will reflect your risk appetite and other priorities.

On the other hand...

If your mindset includes the notions that you don't need to do anything because nothing bad has happened in the past, nobody else seems to be doing anything and that it will cost you money and time to think about it, then don't bother reading anymore of this blog. I do recommend, however, that you keep a few packets of asprins close by to deal with the headaches once your customers start to take an unhealthy interest in your processing of their personal data. 

Setting the tone

Although the GDPR is largely principle based, in the area of informing data subjects, it is specific as to what must be included in a privacy message. A good one is going to be the result of a number of business decisions taken separately. In effect, it becomes the pinnacle of your business privacy framework and it will set the tone accordingly. Its creation is not trivial; it may take you several iterations before you meet your requirement in full. Even then, it will need to be reviewed regularly. 

At the point of collection

If you obtain personal data from the data subject directly, the requirement to convey your privacy message starts at the point of personal data collection. This means you must have a method in place that serves this purpose from ‘the get go’. The GDPR does not prescribe what approach must be taken but typically a business will have pre-prepared a privacy message, often referred to as a privacy policy, statement or notice, that fulfils this function. If your business has acquired personal data from a third party, via a list broker for instance, then you have a legal obligation to provide the affected 'data subjects' with a privacy message as soon as is reasonably possible and practical.

Even if you have obtained personal data from a source other than the data subject concerned you still have an obligation to provide a privacy message. Exceptions do apply but if not, the main difference to the message is that it should also include the source of information and that it should be provided within a reasonable time period, but at the latest within one month of obtaining the information. Further details can be found in the GDPR Article 14.

You can take a horse to water…

It’s important to stress that a privacy message is provided for information only; it is not meant to be a contract or conditional to further interaction. It is up to your intended audience to be satisfied with the content of your message before they part with their personal data.

It is, therefore, critical that the privacy message is lawful, fair and transparent. If you get it right, your intended readers will never be surprised, shocked or dismayed to learn later how their personal data is being processed. If this happens, then either your message was lacking or they did not read it properly, but in the latter case at least you will be able to defend yourself if anyone complains. 

What's in it

The actual content needed is set out in the GDPR (Articles 13 & 14) and I will cover this in more detail in a later blog. The message must be prepared in such a way that it is concise, transparent, intelligible and easily accessible, using clear and plain language, especially if it’s being directed to a child. Achieving all of these aspects may seem a near impossible task because actually there is a lot of stuff to consider. Style of writing plus layout play a big part in producing an effective message. In some circumstances a short summary may be presented as long as the full message is easily available for viewing elsewhere.

However you present the message, its contents must reflect reality i.e. they must be aligned to other business decisions. Then, having 'nailed your colours to the mast', you must follow your own rules for them to have any credibility.

Cookie conundrums

I have seen within privacy messages sections on ‘website use of cookies’, which is allowed of course. From a readability point of view, if this section is long and technical, I recommend you create a link to a separate cookie policy and just refer to it within the privacy message. Since consent is needed from the website visitor for the use of non-essential cookies, for example those for analytical or marketing purposes, it's an even better reason to separate the cookie policy from the privacy message. 

What to call it

The title of the message, whether it’s a privacy policy, statement, notice or any variation thereof, is not so important; it’s your choice based on the context of who you are targeting. What does matter is that its content meets the criteria set out above. My preference is to use ‘privacy policy’ when the message is non-target specific, on a website for instance, and I use the title ‘privacy notice’ if it’s being directed to a well-defined group of people. 

Whatever you choose to call it, don’t confuse it or include it with the ‘Terms and Conditions’ of your business. Each serve distinctly different purposes and, in all probability, your privacy message would fail the transparency test being ‘hidden’ in another document.

On-line approaches

For many businesses, a link to a privacy message is placed on the home page of their website. For it to be really effective the link must be easy to find, especially on any ‘contact page’ that facilitates enquiries. Ideally the link should be close to the ‘submit’ button for extra accessibility. This use of the website is a good way of advancing your message to the public in general, but a more specific message (I call it a privacy notice) may be needed later as the nature of the enquiry matures.

Off-line approaches

There are many other scenarios where the data controller has to consider ‘off-line’ situations. One example is at trade fairs where there will be face to face conversations at business stands and exchanges of personal data for follow-up action. In this case, having a copy of your privacy message on show at the table is just one method of helping you to meet your obligations in a relatively ‘friction’ free way. The point here is that just because it may be awkward to provide a timely copy of a privacy message, it still must be done. 

Spotting the boilerplates

I have seen various privacy messages on websites that are screaming ‘I’m just a boilerplate trying to convince you that I am fulfilling my legal obligations’ when in reality, nothing could be further from the truth. Such approaches tell me that the company in question has spent very little time trying to understand what is needed which, in turn, invariably means their privacy framework is non-existent leaving that company vulnerable to complaints or worse. 

The AWOL message

The complete absence of a privacy message speaks for itself and it’s not good - in fact it’s very bad! If your company has this issue then do not delay fixing it – it is highly likely that you are currently processing personal data illegally.

The benefits of preparing the message

Aside from your business appearing to be doing things properly, there are much more compelling reasons why investing time in preparing (or reviewing) your privacy message is essential. When you look at what is needed, such as stating the lawful bases for processing, you are really forced to think: ‘how can I justify what I am doing in legal terms.’ This exercise of self-questioning is actually very healthy. It will lead you naturally through a sort of ‘data discovery and justification’ process where, for the first time possibly, you might start to appreciate the full extent of the personal data you are processing, and why.

A flying start

Another huge benefit of a well thought out privacy message is that it gives you a flying start when it comes to responding to data subjects who want to exercise their rights. In the case of the ‘Right to Access’, aside from gathering the material itself to hand over, you will already be in a position to answer the basic questions by simply referring to your privacy message. The effort of resourcing the response is onerous enough, so anything that saves you time at this stage is really worthwhile.

Spare the heartache

In summary, a well thought out privacy message is worth its weight in gold. Not only does it help to fulfil your legal obligations and force you to review your privacy framework, but it will be answering the majority of questions before they are even asked by your various data subjects. If you don’t have one now or your current privacy message still refers to the Data Protection Act 1998, then it’s out of date and in need of urgent review. 

Health warning: it will take resources and a few iterations before for your privacy message becomes robust and ‘fit for purpose’, but the time and energy invested in it will spare you much heartache later. If you need assistance, please get in touch.

Share this

Gold Patrons