There are a number of factors to the GDPR (General Data Protection Regulation) that from May 2018 will change how companies communicate with users and process their personal information.
One fundamental factor is privacy notices and how organisations explain at the point of data collection what users can expect will happen to their data. In this article, we’ll dig into the topic of privacy notices more deeply, and present some best practice examples that appear to comply with the GDPR.
We all know privacy policies are painful
Who has ever read a privacy policy? Truthfully?
They are not quite as absurd as the iTunes terms and conditions (now a graphic novel), buta paper by McDonald and Cranor estimates that if the average person read every privacy policy for every website they visited in a year, that reading time would amount to some 244 hours.
In 2010, Facebook’s privacy policy was longer than the US Constitution.
It’s this absurdity that the GDPR is attempting to tackle – privacy policies may still be long and unwieldy documents, but users must be made aware of the salient facts in an easy-to-read notice at the point of consent or data collection.
The GDPR demands clarity through a privacy notice
This is what the GDPR has to say about the information companies provide about personal data processing – it must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
This means a simple link to your crazy-long privacy policy during registration will likely not do the trick.
As the ICO puts itwhen discussing the GDPR, “being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”
What’s more, the information you should provide is changing, too. The lawful basis for your data processing, how long you’ll keep the data for, the user’s right to complain – these are all pointed to in the GDPR.
The following questions should be considered when writing a privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
(Note, for the full detail on what information should be provided to the data subjects at point of data collection, readers should check out article 13 of the GDPR, specifically paragraphs 1 and 2, summarised by the ICOhere.)
What does a privacy notice look like?
All this seems pretty straightforward so far, but what then does a privacy notice actually look like?
It’s not as lengthy as the questions above may suggest, in fact it chiefly tackles what will be done with personal data, by whom, and who it will be shared with.
Here’s an example, again from the excellent ICO guidance:
As you can see, the privacy notice is part of obtaining consent from the user (or telling them about legitimate interests, for example), and is presented at the point of data collection. (In a previous article on the Econsultancy blog we have looked at the UX of obtaining opt-in–essentially how checkboxes should be presented).
When planning privacy notices, you should be aware that more information may be needed than shown in the example above. Such information depends on what the user reasonably expects to happen to their data, and whether a lack of honesty/fairness might be levelled if pertinent information is not provided (e.g. use of personal data for profiling).
You can see a longer example of a privacy notice in a blog post from Scott Sammons, privacy expert –read it here.
Examples of good privacy policy UX
Back to the GDPR. What does best practice look like?
Layers
There are two concepts of privacy policy/notice UX that the ICO advocates. The first is layering – allowing users to access easy-to-understand information and then delve more deeply if required.
The prototype from the ICO shown below uses three layers. The first is a headline question (how will we use the information about you?), the second is the collapsible information about processing and sharing, and the third is the hyperlink to the relevant section of a full privacy policy.
This layering is a good way of saving space in a mobile UI.
Just-in-time privacy notices
Another superb prototype from the ICO, also useful in mobile UIs particularly, is the just-in-time privacy notice.
As you can see in the GIF below, when the user engages with a data field, relevant information is displayed at that time with a pop-up style hint.
Who is adopting some of these practices?
Microsoft
As with many companies out there, Microsoft is getting some things right and others arguably not so. When I investigated signing up for an Outlook email account, I was pleased to see that the form I had to fill in employed the just-in-time technique noted above. You can see it in the screenshot below.
Just-in-time privacy notice from Microsoft
However, Microsoft doesn’t include a privacy notice at the end of the form when I am ready to sign up. Arguably there should be some information at this level about what data of mine will be used and how. I am also required to opt-out of marketing, which will be a no-no under the GDPR.
Microsoft should be given credit though for its use of layering when a user clicks through to the privacy policy. As you can see from the screenshot, there are clickable subtitles in the form of questions, top-line information given and then links to more detailed information.
The best GDPR stats and surveys we’ve seen
Age UK
Age UK was included in my last article about opting in to marketing consent. For a simple transaction (a donation), the privacy notice is clear, and sits next to the option to opt in to marketing.
You can see the message below, it’s not extensive, it focuses on the main area of doubt a user may have in consenting to marketing – will my data be passed on?
Age UK assuages these doubts and also details the option of changing your mind. There is then a link to a more detailed privacy policy.
It should be stressed that direct marketing may rely on the basis of legitimate interests (not always consent, though the individual still needs to be made aware at data collection). Sending email marketing is possibly governed by both the PECR and the GDPR, depending on the level of processing of data. This article by the DMA gives a handy summary.
The charity’sprivacy policyis partly shown below andwas updated in April 2017. I like the layout of information. It looks well prepared for next year’s regulation and includes information about updating your details, security precautions, any transfer outside of Europe and any profiling that may take place. Check it out here.
The beginning of Age UK’s privacy policy
USwitch
USwitch has a very simple UX for comparing energy prices, but it remembers to include some just-in-time information. See the screenshots below.
Note the use of the word ‘optional’ in the phone number field, too.
However, when I went further through the process of applying for quotes, I could not see an obvious privacy notice. It may be argued that all the information I input (energy consumption etc.) is necessary to provide a quote, but I would still have been reassured with another notice about what happens to my data.
USwitch does have a good privacy policy, though, similar in style to Age UK, with clear headings and a range of information, also updated in April 2017 (see it here).
Remember….
There are likely better examples out there with whiter-than-white compliance. But remember, it’s horses for courses.
As the ICO points out, consumer expectations are key. You have to “Actively give privacy information if:
- you are collecting sensitive information;
- the intended use of the information is likely to be unexpected or objectionable;
- providing personal information, or failing to do so, will have a significant effect on the individual; or
- the information will be shared with another organisation in a way that individuals would not expect.”
Ridding the internet of legalese and promoting transparency is not a new concept
As an addendum, it’s worth noting that the challenge of keeping the user informed is one that many academics and developers have worked on before.
One nice example is the open source code available from the Application Developers Alliance. Itpartneredwith Intuit in creating privacy notices for apps (see below) that would comply with theMobile App Privacy Voluntary Code in the US.
Open source privacy notice from App Developers Alliance
Another example of previous attempts to bring some saliency to the privacy notice is the use of iconography. There are no standard icons used to denote various levels of privacy or data use, but their appeal is obvious – they are language neutral. As GDPR applies to users based across the EC, we cannot assume all users understand one of the major languages of the region.
Aza Raskin of Mozilla has developed privacy icons inspired by Creative Commons. Along with some standard short text, the icons simplify privacy policy, though it should be noted that most of this sort of work has been academic. There remains difficulty in the issue of jurisdiction.
Image via CREATe –The use of privacy icons and standard contract terms to build consumer trust
Note that this article represents the views of the author solely, and are not intended to constitute legal advice.
Are you a privacy expert? Let us know your thoughts in the comments below…
A Marketer’s Guide to the GDPR (subscribers only)
FAQs
How do I write a privacy notice for GDPR? ›
- your full contact details;
- the types of personal data you collect;
- where you got people's data from, if it wasn't from them;
- why you have people's information and what you're doing with it;
- your lawful basis and your legitimate interests where relevant;
Data minimisation. Accuracy. Storage limitation. Integrity and confidentiality (security)
How do I make a data privacy notice? ›To make a privacy notice compelling, it should instantly show what is in it for your clients. At the minimum, it should highlight the types of personal information you collect, how you use it, how you protect it, how your clients can access and correct their personal information and how they can contact you.
What are the 6 principles of GDPR? ›The data protection principles that would be impacted include 1 – lawful, fair and transparent; 2 – limited for its purpose and 6 – integrity and confidentiality. Data that is collected for deceptive or misleading purposes is not fair and may not be lawful.
What is the difference between a privacy statement and a privacy notice? ›Despite their similar names, privacy notices aren't the same as privacy policies. Privacy notices are publicly accessible documents produced for data subjects, whereas privacy policies are internal documents intended to explain to employees their responsibilities for ensuring GDPR compliance.
What information must be included in a privacy notice? ›The Contents of the Privacy Notice
Your notice must include, where it applies to you, the following information: Categories of information collected. For example, nonpublic personal information obtained from an application or a third party such as a consumer reporting agency. Categories of information disclosed.
There are three keys areas organisations should know about concerning the EU GDPR legislation. GDPR focuses on the core areas of data governance, data management, and data transparency.
What are the 5 protection principles? ›In this chapter, we focus on the five core principles of privacy protection that the FTC determined were "widely accepted," namely: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress.
What are the 7 principles of data quality? ›Issues relevant to this principle are professional independence, mandate for data collection, adequacy of resources, quality commitment, statistical confidentiality, impartiality and objectivity.
Can I write my own privacy policy? ›Yes, you can write your own privacy policy. You don't need to hire a lawyer to write a policy for your website or app — using a privacy policy template will help you include all the clauses necessary to explain your data-handling practices to users.
Where do you display a privacy notice? ›
A 'Local Privacy Notice' should be placed at the initial point of collection and should be visible to the individual to ensure fairness of processing. This gives the individual an opportunity to read and review the notice prior to providing their personal data.
What are the 12 steps of GDPR? ›- Promote Awareness. ...
- Appoint a DPO. ...
- Carry out an Audit. ...
- Keep records. ...
- Review and Amend. ...
- Update Privacy Notices. ...
- Make withdrawing consent easy too. ...
- Review data protection policies.
Lawfulness, Fairness and Transparency.
Are there four types of privacy notices? ›There are three types of privacy notices defined in the regulations: an initial notice, an annual notice, and a revised notice.
How do you explain notice of privacy practices? ›The notice must describe: How the Privacy Rule allows provider to use and disclose protected health information. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason. The organization's duties to protect health information privacy.
What is a simplified privacy notice? ›A simplified notice can be used by a bank that plans to disclose information about customers only under privacy rule exceptions. Those exceptions include events such as servicing the customer's account, in response to subpoena or for the purposes of fraud detection.
How often are privacy notices required? ›You must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists.
When must a privacy notice be provided to the customer? ›within a reasonable period of obtaining the personal data and no later than one month; if you use the data to communicate with the individual, at the latest, when the first communication takes place; or. if you envisage disclosure to someone else, at the latest, when you disclose the data.
Which of the following are reasons an Organisation should provide a privacy notice? ›- Reason 1: It's required by law if you collect personal information from users.
- Reason 2: It's required by third-party services you may use.
- Reason 3: Users are interested in their privacy.
- Reason 4: It's ubiquitous.
Lawfulness, fairness, and transparency: Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed.
What is the most important element of GDPR? ›
Right to be Informed
Businesses need to make sure people understand who is collecting their personal data and the purposes for which data controllers are processing it.
- Revamping Data. Sam Pfeifle is content director at the International Association of Privacy Professionals (IAPP). ...
- Better Targeted More Relevant Advertising. ...
- Data Breaches. ...
- Customer Privacy. ...
- Informed Consent. ...
- Better Understanding of Oranizational Data. ...
- Building Brand Trust. ...
- Increased Legal Protection.
The GDPR is a European data protection law that gives individuals more control over their personal information in the most basic interpretation. It's forced companies to reframe how they think about data privacy, making “privacy by design” paramount.
What are the 4 elements of protection mainstreaming? ›There are four key elements of protection mainstreaming: Prioritise safety and dignity and avoid causing harm; Meaningful Access; Accountability; and Participation and Empowerment.
What are the 8 rules of data protection? ›Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability.
What are the 4 phases in data quality? ›Let me explain further: The Informatica Cloud Data Quality Methodology consists of four key stages: Discover, Define Rules, Apply Rules, and Monitor.
What are the 4 categories of data quality? ›There are five traits that you'll find within data quality: accuracy, completeness, reliability, relevance, and timeliness – read on to learn more.
What are the 11 characteristics of quality information? ›Those discussed above and included in Table 1.1 and Figure 1.6 include: understandability,relevance (or reliability), timeliness (or availability), predictive value, feedback value, verifiability,neutrality (or freedom from bias), comparability, consistency, integrity (or validity,accuracy, and completeness).
What are some examples of privacy policies? ›- Data processing must be fair to the data subject.
- Data must only be processed for specific and legitimate purposes, outlined in your privacy policy.
- Don't collect more data than you need.
- Make sure the data you collect is accurate.
The most important step for business owners to protect their customers' data is to create a concise and transparent Privacy Policy. So, a good Privacy Policy should outline what data is being collected and explain why you're collecting it, who has access to it, and the time frame during which you plan to store it.
How can I create my own privacy? ›
- Don't fill out your social media profile. ...
- Be choosy about sharing your social security number—even the last 4 digits. ...
- Lock down your hardware. ...
- Turn on private browsing. ...
- Use a password vault that generates and remembers strong and unique passwords. ...
- Use two-factor authentication.
As stated earlier, ALL websites interact with user data in some way. This means that if you have a website and you intend to have people visit that website, then it's mandatory that you include a privacy policy. The law requires you to inform users about what data you collect, how it's used, stored and protected.
Who determines a privacy notice? ›The purpose of a Privacy Notice
Data controller - The organisation who (either alone or in common with other people) determine the purpose for which, and the way data are processed.
Whatever information is contained, it's important that it is presented legibly, in a reasonable font size, and written in easily understandable language that avoids jargon or overly legalistic terminology.
What are the checklists for GDPR compliance? ›- Raise awareness.
- Keep a record of data processing flows.
- Review current privacy notices.
- Check your rights for individuals.
- Review and update procedures for submitting requests.
- Identify, record, and explain the legitimate basis.
- Update existing consent.
- Protect children's data.
- Raise awareness across your business. ...
- Audit all personal data. ...
- Update your privacy notice. ...
- Review your procedures supporting individuals' rights. ...
- Review your procedures supporting subject access requests. ...
- Identify and document your legal basis for processing personal data.
GDPR's seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules.
What are the 6 lawful bases of data processing under the GDPR? ›Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.
What is Principle 5 of the GDPR? ›5 GDPR Principles relating to processing of personal data. Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');
How do you ask for GDPR consent? ›- signing a consent statement on a paper form;
- ticking an opt-in box on paper or electronically;
- clicking an opt-in button or link online;
- selecting from equally prominent yes/no options;
- choosing technical settings or preference dashboard settings;
Do you need written consent for GDPR? ›
The UK GDPR is clear that consent requires clear affirmative action, and Recital 32 sets out additional guidance on this: “Consent should be given by a clear affirmative act… such as by a written statement, including by electronic means, or an oral statement.
What is a GDPR declaration? ›A GDPR Compliance Statement is a brief document that publicly declares your organization's commitment to meeting and upholding the principles of the GDPR. The statement matches other supporting documents like your GDPR Data Protection Policy by providing an overview of user rights and how to exercise them.
How do you write a disclaimer statement? ›"[The author] assumes no responsibility or liability for any errors or omissions in the content of this site. The information contained in this site is provided on an "as is" basis with no guarantees of completeness, accuracy, usefulness or timeliness..."
What are the four types of consent? ›Types of consent include implied consent, express consent, informed consent and unanimous consent.
How do you get a GDPR compliant checklist? ›- Raise awareness.
- Keep a record of data processing flows.
- Review current privacy notices.
- Check your rights for individuals.
- Review and update procedures for submitting requests.
- Identify, record, and explain the legitimate basis.
- Update existing consent.
- Protect children's data.
- Raise awareness across your business. ...
- Audit all personal data. ...
- Update your privacy notice. ...
- Review your procedures supporting individuals' rights. ...
- Review your procedures supporting subject access requests. ...
- Identify and document your legal basis for processing personal data.
No. Organisations don't always need your consent to use your personal data. They can use it without consent if they have a valid reason. These reasons are known in the law as a 'lawful basis', and there are six lawful bases organisations can use.
What information does GDPR not apply to? ›The GDPR does not apply if: the data subject is dead. the data subject is a legal person. the processing is done by a person acting for purposes which are outside his trade, business, or profession.
Can my employer give out my personal information without my consent? ›The GDPR states that consent must be 'freely given, specific, informed and unambiguous'. This means that the data subject must be aware that they are consenting to have their data processed and should not be forced into giving consent.
What are the two rules of GDPR? ›Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption). Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
What is GDPR example? ›
For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data. Since the definition includes “any information,” one must assume that the term “personal data” should be as broadly interpreted as possible.
When should privacy notices be presented to the data subject? ›within a reasonable period of obtaining the personal data and no later than one month; if you use the data to communicate with the individual, at the latest, when the first communication takes place; or. if you envisage disclosure to someone else, at the latest, when you disclose the data.