This edited extract is from How to Use Customer Data by Sachiko Scheuing ©2024 and reproduced with permission from Kogan Page Ltd.
Do you use personal data?
I'm sure you do, otherwise you wouldn't be reading this book. If your company collects personal data for marketing, accounting, HR, or any other reasons, having a privacy policy is essential.
According to the traditional view of data protection and informational self-determination, having control over your own data is only meaningful if you are informed about how it will be used.
One of the first rules GDPR lays down in its text, after clarifying the scope of the law and the different definitions, is Article 5 (legislation.gov.uk, 2016):
- Personal data shall be:
This requirement emphasizes the importance of handling data in a lawful, fair, and transparent manner when it comes to the individual's information. This is why having a privacy statement is necessary.
Companies that act as data controllers need to be responsible for how they use data and should have a privacy statement. This responsibility is outlined in Article 24(2) of the GDPR.
This article discusses automated individual decision-making, which includes profiling. This type of profiling goes beyond selecting ads for marketing purposes and can greatly affect individuals.
Such profiling can only be considered compliant under Article 24(2) if there is an appropriate data protection policy in place, including a privacy statement (legislation.gov.uk, 2016).
A privacy statement is a crucial document. GDPR outlines the specific information that must be included in your privacy policy in two separate articles: Article 13 for when data is collected directly from consumers, and Article 14 for situations where data is collected indirectly (legislation.gov.uk, 2016).
Who Will Read Your Privacy Statement?
Have you ever thought about who reads your privacy statement? In the case of food labeling, it was me as a customer checking for a specific ingredient that read this.
Customers and prospects are one group of stakeholders interested in how their data is handled once it's in your possession. Privacy activists and consumer protection organizations may also be reviewing your privacy statement.
Authors and academic researchers specializing in data protection see your privacy notice as a valuable resource for understanding how companies utilize personal information. Regulators, judges, and lawyers involved in a case related to your company also pay close attention to your privacy policy.
Your privacy statement plays a crucial role in shaping your corporate image. Customers in both business-to-business and business-to-consumer markets closely scrutinize your privacy practices.
When conducting due diligence, business partners and suppliers frequently inquire about your company's data protection compliance, including questions about your privacy statement.
For all readers, your privacy statement is an important touch-point for stakeholders, such as customers and partners. It is crucial to create a positive impression of your privacy practices. According to the ICO, a well-crafted privacy statement helps to build trust, prevent confusion, and set clear expectations (ICO, 2023).
How Long Should My Privacy Statement Be?
Your privacy statement should be long enough to clearly explain the data collection, usage, and storage practices. This transparency is important to comply with GDPR regulations.
Your privacy statement should be brief, as per Article 12(1) of GDPR (legislation.gov.uk, 2016). It may seem conflicting with the need to provide detailed information, but EU regulators offer clarifications in their transparency guidelines (Art 29 WP, 2018).
Privacy statements are meant to help consumers understand how their personal data is used. However, regulators recognize that people can only process a certain amount of information before experiencing "information fatigue" or "information overload." This suggests that there is a limit to how much information individuals can absorb.
When people are bombarded with too much information, they often feel overwhelmed. This can lead to them either ignoring the information altogether or making irrational decisions in order to deal with the psychological pressure they are under (Simmel, 1950; Milgram, 1969).
To prevent this from happening, there are two strategies that can be used. These strategies not only help in avoiding information overload but also ensure that all the necessary details are still provided.
Create a Clear Outline
Make a list of all the information you want to include in your privacy notice before you begin writing. Then, consider how you can present this information in a logical and organized way for your customers and other data subjects.
When exploring this topic, consider taking a look at the privacy statements of well-known consumer brands and government organizations. This can give you insight into how these statements are organized and structured. Chances are, these privacy notices are crafted by seasoned in-house legal professionals or specialized law firms who focus on data protection. By reviewing these examples, you can get a sense of what effective privacy statements should include.
You may also consider reviewing the privacy policies of your competitors and business partners in the same industry.
Consult with your privacy specialist to identify reputable competitors known for their strong data protection measures. Alternatively, you may already be familiar with these companies. Analyze the format of their privacy policies to gain insights. Additionally, you have the option to utilize the structure provided in the ICO's privacy policy template.
Whatever you do, the key is to improve the readability of your privacy statement by giving it a logical structure.
Prepare Privacy Notices In Layers
Another approach supported by regulators is the layered approach (Art 29 WP, 2018).
If your privacy notice will be online, you can create an interactive privacy policy by incorporating links. This way, users can click on the links for more details or choose to remain on the first-level summary information. It's similar to using an online encyclopedia.
This will help simplify the key messages and provide readers with a clear understanding of the initial section of your privacy statement.
It is advised by regulators that certain information should be easily visible in the first layers of your privacy notice (Art 29 WP, 2018, p 19, para 36).
Details of the purposes of processing
The identity of the data controller
Description of the data subjects’ rights
Information on the processing which has the most impact on the data subject
Information on the processing which could surprise them.
When Do I Have To Present The Privacy Statement?
Consumers should be informed about the reasons for collecting their data, such as for marketing purposes, at the earliest opportunity.
When collecting data directly from customers, it is important to provide them with a privacy notice right at the moment of data collection (refer to Article 13(1) GDPR; legislation.gov.uk, 2016).
When you get data from other organizations, like public sources or marketing data providers, Article 14(3)a and b say that you need to give privacy information like this (legislation.gov.uk, 2016):
You should provide the privacy information within a reasonable time after getting the personal data, but no later than one month. Consider the specific situation in which the personal data are being used.
If the personal data will be used to communicate with the data subject, they must be informed at the latest when the first communication occurs. If the personal data will be disclosed to another recipient, the data subject must be informed at the latest when the data is first disclosed.
In summary, for licensed data that is not contact detail data, the privacy notice must be shared within one month.
If you are using contact data such as names, phone numbers, email addresses, and physical addresses, you must share the privacy statement when sending a commercial message to them for the first time.
In practice, companies embed a link to the privacy statement in email messages or print that link on direct mail pieces to fulfill this requirement.
References:
Art 29 WP (2018) Article 29 Data Protection Working Party, WP260 rev.01 Guidelines on transparency under Regulation 2016/679 were adopted on 29 November 2017 and last revised on 11 April 2018. You can find more information at https://ec.europa.eu/newsroom/article29/items/622227 (archived at https://perma.cc/4HWYURKL).
ICO (2023) The UK Information Commissioner’s Office has detailed guidelines on transparency in direct marketing. For more information, visit https://ico.org.uk/for-organisations/advice-for-smallorganisations/frequently-asked-questions/transparency-cookies-and-privacynotices/ (archived at https://perma.cc/K3ZR-T7E5).
The website legislation.gov.uk provides information on Regulation (EU) 2016/679 of the European Parliament and of the Council, dated 27 April 2016. You can access the full content at www.legislation.gov.uk/eur/2016/679/contents. An archived version is also available at https://perma.cc/NVG6-PXBQ.
In his 1969 study, psychologist Stanley Milgram explored the experience of living in cities. The research was published in the journal Science, volume 167, pages 1461–1468.
For those interested in reading "The Metropolis and Mental Life" by G. Simmel (1950), it is included in the book "The Sociology of Georg Simmel" edited by K H Wolff and published by Free Press in New York, USA.
SEJ readers can enjoy a special offer to purchase the full book. Use the promo code SEJ25 at koganpage.com to get a 25% discount and free shipping to the US and UK.
More resources:
Google Analytics 4 Features To Prepare For Third-Party Cookie Depreciation
What Is First-Party Data And How Do You Use It?
Why First-Party Data Should Lead Your Organic Search Strategy
Featured Image: Rawpixel.com/Search Engine Journal
Editor's P/S:
This comprehensive guide to privacy statements highlights the crucial role they play in fostering transparency, building trust, and meeting legal requirements. The author emphasizes the importance of providing clear and concise information about how personal data is collected, used, and stored. Readers are encouraged to create a well-structured and layered privacy notice that caters to different levels of detail.
The article also addresses the timing of presenting the privacy statement, stressing that it should be provided promptly upon data collection or within a reasonable time frame. This ensures that individuals are fully informed about their rights and the purpose of data processing. By following the guidelines outlined in the article, organizations can create effective privacy statements that protect individuals' data rights while maintaining transparency and compliance.