Your Privacy Notice 2022
I’m going to stick my neck out here and say that the most well-known GDPR-related document is the Privacy Notice (OK, not very brave there). Despite this, many coaches, trainers, and consultants haven’t got their business’s Privacy Notice written, styled, and available in more than one (often not very good) version.
Even after almost 4 years(!), GDPR continues to be a confusing and complicated subject, especially when it’s considered an unhelpful add-on responsibility to an already heavy workload by many business owners.
For those of you who already have your business’s Privacy Notice set up, including the variations for different uses, use this post to double-check it (them). For those of you who know the one they have isn’t really up to scratch or don’t have one at all (eek!), read on and take action…
Food for thought:
If you build data protection into your everyday business activities, it will be much less of a burden and, more importantly, will reflect the fundamental care and respect you have for your clients that you can be open and positive about.
Your Privacy Notice is a publicly available document, and it sets out how you and your business handle personal data. It’s the place where you set out your commitment to only do what you say you will with their data. You only need to look in the media to see how many organisations at all levels abuse the privilege.
At this point, it’s worth mentioning that there are two types of people who are likely to read your Privacy Notice:
- People who are considering doing business with you (or existing customers who are carrying out annual due diligence)
- People who are looking for something you’ve done wrong
So, it’s either clients or complaints…
Let’s start from the beginning. The following information must be included:
- Your business identification details, including contact information. Also, if applicable, the details of Data Protection Officer. If you have clients in the EU, details of your Representative
- The types of personal data your business collects
- The individual purposes for which the data is collected and the lawful basis for doing so for each purpose
- Details of where any of the data is transferred if it’s outside of the UK and the legal safeguards
- Details of the security measures taken e.g., password, access according to role, encryption, etc.
- How long you retain the data, or the criteria used to decide how long to keep it, including details for destroying or deleting the data
- The legitimate interests of your business or any third party, if applicable
- The rights of the individuals, including the right to withdraw consent at any time, if applicable and how to do that (make it easy!)
- If applicable, the categories and sources of personal data you collect for data not obtained directly from the data subject
- Any recipient or categories of recipients of the personal data, if applicable i.e., the details of with whom you share the data, including processors (platforms, organisations, etc.)
- The right to lodge a complaint with the ICO (this is for UK-based clients). It’s good practice to mention your own complaint procedures that you have in your business, although this could be included in your T& Cs
- If there is any automated decision making, including profiling you should give information on how decisions are made, including significance, plus any consequences to them
- If the provision of personal data is part of a statutory or contractual requirement or obligation on the part of the data owner and you should be clear on the possible consequences of not providing it
These are the basics that need to include, which some (many) businesses don’t even have in place.
As far as how you present the information, it must be in plain English and designed to match your audience, e.g., if you serve children, then it must be in a format that they can understand. You don’t have to have all text, you can use video, animation, visuals, or whatever will make the details easy and clear to those at whom it is aimed. My favourite styles tend to include bullet points, nested subjects, links to more in-depth explanations, and simple tables. Nothing too complicated or confusing.
Horses for courses
You will probably think of your Privacy Notice for your website as the only one you need, however, you either need separate versions for each use or a clearly written combined version for all the purposes. Word it clearly with different uses under different headings, for example.
You will need to adjust the wording so that it makes sense for other uses e.g., if you are sending a copy out with the first newsletter to a new subscriber, the reference to your website as it stands won’t be appropriate (and will be confusing for your subscriber). Try to read it as if you are the new subscriber, recipient of your giveaway, etc., or ask someone who isn’t business savvy to be your test guinea pig.
Where do you get the information?
You will already have gathered the necessary information to complete your Record of Processing Activities – but, if you haven’t got such a document, you are going to be facing the same work to get what you need to put in your Privacy Notice. For those who haven’t collected the details they need, do that before you create your Privacy Notice unless you want to carry out a lot of editing.
Whichever comes first, you really need both a RoPA and a Privacy Notice.
This is about giving your Privacy Notice your brand’s voice and style. It isn’t required that you should have a specific style of Privacy Notice and the brands that take the time to make the language match their own style are better reflecting themselves. It is up to you to decide.
Don’t just ignore your Privacy Notice and hope it will all be OK! If you’ve got a CMS website such as WordPress, you can choose one of the cookie plugins that fit your requirements and include an automatically created Privacy Notice, if you wish.
N.B. Going back to the design for ease of use to fit your audience and the need for different versions for different purposes, an automatically generated Privacy Notice may not fit the bill for your business BUT it’s better to have something rather than nothing in the short term.
You can use a template and there are many choices online if you look and find one that you are comfortable with. I have a Privacy Notice Template Kit of my own – it includes a video tutorial, simple tables that you can fill in using drop-down options, and then copy and paste into a straightforward Word document that you can customise to make match your business. In addition, there is a live Zoom Q&A call with me included to get you started. You can also book a follow-up call to go through anything you need to either during or after you’ve finished your document.
How often should you check your Privacy Notice?
The minimum is once a year, but I would base the frequency for your business on how often you make changes that need to be reflected – if you’re the type of person who loves Shiny software and platforms, you may change more often and so a quarterly check or even monthly check would be better. Of course, if you are a details-orientated person, you may always remember to change your documents and records when you make any changes, which is what is really required. Make your schedule of follow-up checks fit your approach and business.
The only constant to bear in mind is, if your Privacy Notice is out of date, you run the risk of a complaint being made AND upheld. Transparency is one of the most important requirements of GDPR and Accountability is the overarching principle.