How can organisations create the perfect privacy statement?

Feb 20, 2020 12:00:00 AM | EU How can organisations create the perfect privacy statement?

The GDPR highlights that data subjects need to be given the right to be informed about the gathering and the use of their personal data. Organisations are encouraged to fulfill this obligation through a privacy statement, that informs individuals in a clear and easily understandable manner on how their personal data is gathered and processed by the organisation. At the same time, organisations often find challenges in creating the perfect privacy statement as narrowing down a huge variety of complex legal information is not a task for the faint hearted. Furthermore, with the enforcement of the GDPR, previous privacy statements also had to be readjusted. So, what do organisations need to keep in mind for creating the perfect privacy statement, and what benefits it holds to have one, besides compliance?


Perfect_PrivacyStatement_PrivacyPerfect_Blog_GDPR

Why a privacy statement is important for your organisation

A privacy statement is one way to comply with the requirements of the right to be informed. The right to be informed covers some of the key requirements of the transparency principle; one of the underlying principles of the GDPR. It is about providing data subjects with clear and concise information about what happens with their personal data. Articles 13 and 14 of the GDPR specify what data subjects have the right to be informed about. 


Besides increasing your organisation’s efforts in complying with one of the key obligations of the GDPR, by providing a strong privacy statement organisations are able to achieve a strong level of transparency towards their prospects, customers, and authorities. Additionally, it provides concerte and clear information on your data protection efforts not just to external parties, but also to internal departments. With every department within the company being on board in regard to your organisation’s efforts towards data protection, they will be able to facilitate better compliance, be aware of their responsibilities and roles towards the privacy administration you are in charge of, and contribute to a culture where data privacy is an embedded concept.

 

It’s important to note that the obligations to inform data subject about the processing are aimed at the controller. This does not mean that there is no value for processors having a privacy statement. Including information on processings for which an organisation is the processor should always be communicated with the controller however, since they are responsible for the processing.

 

Typical issues and their suggested solutions for organisations in regard to privacy statements


Besides narrowing down complex legal texts, what do organisations typically find challenging when crafting privacy statements? The Data Protection Authority of the UK, ICO, identified the most common scenarios of this and provides helpful guidelines for each of the cases:

 

According to the ICO, “if you share personal data to (or sell it with) other organisations, as part of the privacy information you provide, you must tell people who you are giving their information to, unless you are relying on an exception or an exemption. You can tell people the names of the organisations or the categories that they fall within; choose the option that is most meaningful. It is good practice to use a dashboard to let people manage who their data is sold to, or shared with, where they have a choice.

If you buy personal data from other organisations, you must provide people with your own privacy information, unless you are relying on an exception or an exemption.If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, you must carry out a DPIA to find ways to mitigate the risks of the processing.If your purpose for using the personal data is different to that for which it was originally obtained, you must tell people about this, as well as what your lawful basis is for the processing. Provide people with your privacy information within a reasonable period of buying the data, and no later than one month.

If you obtain personal data from publicly accessible sources, you still have to provide people with privacy information, unless you are relying on an exception or an exemption.If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, you must carry out a DPIA to find ways to mitigate the risks of the processing. Be very clear with individuals about any unexpected or intrusive uses of personal data, such as combining information about them from a number of different sources. Provide people with privacy information within a reasonable period of obtaining the data, and no later than one month.

 

If you apply Artificial Intelligence (AI) to personal data, be upfront about it and explain your purposes for using AI. If the purposes for processing are unclear at the outset, give people an indication of what you are going to do with their data. As your processing purposes become clearer, update your privacy information and actively communicate this to people.Inform people about any new uses of personal data before you actually start the processing. If you use AI to make solely automated decisions about people with legal or similarly significant effects, tell them what information you use, why it is relevant and what the likely impact is going to be. Consider using just-in-time notices and dashboards which can help to keep people informed and let them control further uses of their personal data.” 

 

What benefits does a good privacy statement provide to organisations 


Besides taking the right steps in ensuring compliance, taking the time to create a strong privacy statement also brings in several further benefits, such as increased consumer trust, potentially decreased reputational risks, better accountability, and a significant impact on customer satisfaction.

Increase consumer trust
As incidents of personal data breaches and leaks continue to rise, studies indicate that consumers overtime have grown to be more critical when deciding to engage and share their personal data with an organisation. For data conscious consumers, a privacy statement may be the first thing they look for if they are interested in how your organisation handles personal data. Almost comparable to a business card for privacy compliance, if it’s difficult to understand, or is or too vague/incomplete, it may not leave a good impression. 

Being accountable and obtaining information
Not only would a privacy statement give consumers the confidence in trusting your organisation’s data, but in return, as the ICO states, it would allow your organisation to be accountable to the GDPR, and could even help obtain more information from customers through transparency. Getting it wrong, however, may leave organisations prone to fines and reputational damage.

Third parties that your organisation uses may require one
Many third-party web services that help enhance your organisation’s website generally collect and use data gathered from your online visitors. Because third-party services store cookies and other trackers on a data subject’s computer to collect data, it will require that the organisation provides a privacy statement that discloses how and why that’s being done, and how the personal data will be processed.

What the perfect privacy statement needs to include

The ICO provides a table that summarises the information that must be provided. This differs slightly depending on whether the personal data was collected from the data subject it relates to (art. 13 GDPR) or obtained from another source  (art. 14 GDPR). It could of course be valuable to include more information than required.

*Please note that the table, and the below 3 paragraphs are from the ICO’s official website for consistency and credibility purposes

 

 

Personal data collected from data subjects (art. 13 GDPR)

Personal data obtained from other sources (art. 14 GDPR)

The name and contact details of the controller

Where applicable; The name and contact details of your representative

When applicable; The contact details of the data protection officer

The purposes of the processing

The lawful basis for the processing

When applicable; The legitimate interests for the processing

The categories of personal data obtained

N/A

The recipients or categories of recipients of the personal data

The details of transfers of the personal data to any third countries or international organisations

The retention periods for the personal data

The rights available to data subjects in respect of the processing

Where applicable; The right to withdraw consent

The right to lodge a complaint with a supervisory authority

The source of the personal data

N/A

The details of whether data subjects are under a statutory or contractual obligation to provide the personal data

N/A

The details of the existence of automated decision-making, including profiling

When does the information need to be provided

When collecting personal data from the data subject it relates to, they must be provided with the information at the time you obtain their data.

When the personal data is obtained from a source other than the data subject it relates to, they must be provided with with the information:

Within a reasonable period of obtaining the personal data and no later than one month;
When the data is used to communicate with the data subject, at the latest, when the first communication takes place; or
At the latest, when the data is disclosed to another organisation..

Other considerations

According to article 12 GDPR, the information must be provided in a way that is: 

Concise;
Transparent;
Intelligible;
Easily accessible; and
Uses clear and plain language.

When drafting a privacy statement,  it’s important to know whether your organisation is processing personal data of children, since, in that case, they need to be able to understand it as well.

 

Exceptions

When collecting personal data from data subjects, they do not need to be provided with any information that they already have.

When obtaining personal data from other sources, data subjects do not need to be provided with information if:

The data subject already has the information;
Providing the information to the data subject would be impossible;
Providing the information to the data subject would involve a disproportionate effort;
Providing the information to the data subject would render impossible or seriously impair the achievement of the objectives of the processing;
There is a legal requirement to obtain or disclose the personal data; or
There is an obligation of professional secrecy regulated by law that covers the personal data.


As there are quite a few points a perfect privacy statement should cover, it might be helpful to know that there are great tools out there that can help you check the quality of your organisation’s privacy statement.

Privacy statement checkers
There are several tools to evaluate an organisation’s privacy statement that you can find online. Certain resources automatically provide a brief view into what aspects an organisation’s privacy statement covers. This can be helpful in identifying what may be lacking in one’s privacy statement. Other tools found online could also assist organisations in generating free privacy policies, to which it can be adapted and customised. While searching for “privacy statement generator” provides hundreds of results, it’s important for organisations to identify resources that cover compliance bases accurately.

 

An opportunity to further improve your organisation’s privacy efforts

Because the laws and regulations continue to change, and your organisation’s practices as well, taking the time to re-evaluate and update your privacy statement will prove to be vital for your organisation’s compliance efforts, both in the short- and long run.

An organisation’s privacy statement should continue to change and adapt to the organisation’s growth. While the core elements of the privacy statement may stay the same, regular updates will most likely be necessary due to, for instance, new applications or tools used by the company.

Outdated policies could put your organisation at risk as they might not comply with the set our regulation as it’s updated over time. Therefore, continuous tending to your privacy statement doesn’t just contribute to your compliance efforts, but could potentially identify risks of new applications ahead of time as well.

Key component for compliance

A strong privacy statement is a key component for an organisation’s GDPR compliance. Taking time to ensure that your data handling practices and the third-party services you use are communicated in an easily understandable manner, will increase your accountability towards authorities and your customers significantly. Make sure to set reminders for regular updates on your privacy statement, and inform all departments within your organisation about their need to share if they wish to use new applications, for instance. Overall, having the perfect privacy statement will go a long way in your compliance efforts, and can help make your business more successful.