Before you start drafting your privacy information, you need to know what personal data you have and what you do with it. To help you with this you may need to do an information audit or data mapping exercise. You should map out how information flows through your organisation and how you process it, recognising that you might be doing several different types of processing.
You may already undertake this type of audit or mapping exercise as part of your existing data governance framework, or as part of documenting your processing activities under Article 30 of the UK GDPR. If this is the case, you can incorporate the privacy information requirements into this process.
You should work out:
what information you hold that constitutes personal data;
what you do with the personal data you process;
why you process the personal data;
where the personal data came from;
who you share the personal data with; and
how long you keep the personal data for.
Once you have an understanding of the above, you can build on this by addressing some of the more specific questions that you need to be able to answer, such as:
Which lawful basis do you rely on for each type of processing?
What are the legitimate interests for processing (if applicable)?
What rights do individuals have in relation to each type of processing?
Is there a legal or contractual obligation for individuals to provide personal data to you?
Do you make solely-automated decisions about people that have legal or similarly significant effects?
You also need to think about your audience, as this will help you keep your information clear and easy to understand.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
You also need to think about who you are addressing your privacy information to. It is a good idea to put yourself in the position of the people you’re collecting information about. You need to understand the level of knowledge your intended audience has about how their data is collected and what is done with it.
Dealing with a wide range of individuals - If you collect the personal data of a wide range of individuals you need to think about the relationships you have with the various groups and whether they will all understand the information you give them. Break your customers down into different categories and provide tailored privacy information for each group.
Example
An insurance company provides business travel insurance to large multi-national organisations and travel insurance to members of the public. It tailors the privacy information it provides to these different customers to cater for the differing levels of understanding and uses of personal data.
Dealing with vulnerable individuals, including children – The UK GDPR emphasises that the requirement to provide information using clear and plain language is of particular importance when addressing a child. While children are singled out as meriting special protection, in practice if you collect information from any type of vulnerable individual, you must make sure you treat them fairly.
This means drafting privacy information appropriate to the level of understanding of your intended audience and, in some cases, putting stronger safeguards in place. You should not exploit any lack of understanding or experience, for example, by asking children to provide personal details of their friends.
There may be times when using a combination of the techniques described in this guide may not be effective, as it could cause confusion or provide less clarity. If this is likely to be the case, the key point is to focus on providing clear and understandable information for the target audience.
You should use your knowledge of the individuals you deal with to decide your approach. In particular, you should try to work out whether the individuals you are collecting information about would understand the consequences of this. If in doubt, you should be cautious and should instead ask the individual’s parent, guardian or carer to provide the information. For online services, if you rely on consent for the collection of personal data, the UK GDPR and the Data Protection Act 2018 require that you obtain it from the holder of parental responsibility for children under the age of 13.
Dealing with people whose first language is not English - Sometimes you may want to collect personal data from people whose first language is not English. In some cases you may be obliged by law (other than data protection) to provide information in another language, for example, Welsh. Even where this is not the case, it is good practice to provide your privacy information in the language that your intended audience is most likely to understand.
One of the biggest challenges is to encourage people to read privacy information. People are often unwilling to engage with detailed explanations, particularly where they are embedded in lengthy terms and conditions. This does not mean that providing privacy information is a mere formality; it means that you have to write and present it effectively. The UK GDPR recognises this and requires that the information you provide individuals with meets the following standards.
Conciseness – There is a tension between the amount of information you need to provide individuals with and the requirement that it must be concise, but there are ways of writing and presenting privacy information that can achieve both:
Use an appropriate technique to deliver the information, such as a layered approach.
Use headings to separate the information into easily digestible chunks, each dealing with a different aspect of what you do with personal data.
Keep your sentences and paragraphs short. Omit any irrelevant or unnecessary information.
Transparency – Being transparent is about being open, honest and truthful with people:
Don’t offer individuals choices that are counter-intuitive or misleading.
Don’t hide information from people; make sure that you clearly bring to people’s attention any uses of data that may be unexpected, or could have significant effects on them.
Align your privacy information with your organisation’s values and principles. People will be more inclined to read it, understand it, and trust your handling of their personal data.
Intelligibility – Your privacy information needs to be understood by the people whose personal data you collect and obtain:
Adopt a simple style that your audience will find easy to understand.
Don’t assume that everyone reading the information has the same level of understanding as you. Explain complex matters in basic terms.
Ensure that what you say is unambiguous. Be as precise as you can about what you do with people’s data.
Ease of access – Individuals should not have to look for your privacy information, it must be easy for them to access:
Adapt how you provide your privacy information to the context in which you collect or obtain people’s data.
If you provide individuals with a link, ensure that you direct them straight to the relevant privacy information and do not have to seek it out amongst other information.
Make the information consistently easy to access across multiple platforms.
Clear and plain language – Ensure that the words and phrases you use are straightforward and familiar for your intended audience:
Use common, everyday language.
Avoid confusing terminology, jargon, or legalistic language.
Align to your house style. Use expertise (for example in-house copywriters) to help your privacy information fit with the style and approach your customers expect.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
Carrying out user testing will provide useful feedback on draft privacy information. This is where you select a sample of your customers and ask them to access and read the information to obtain their feedback on:
how they accessed it;
if they found it easy to understand;
whether anything was difficult, unclear or they did not like it; or
if they identified any errors.
Asking your customers to do this will help you improve the effectiveness of your delivery of the information. You are likely to come up with a far more useful and engaging approach if you consider feedback from the people it is aimed at.
Example
You plan to deliver privacy information to people based on assumptions you made about a user’s journey around your website. However, during your user testing you identify that people are often directed to a specific page of your website straight from a third party search engine and therefore miss some of the information supplied on your homepage. Having identified this, you ensure that your privacy information is correctly connected together so that individuals do not miss anything important. For instance, you provide a link to more detailed information in all your just-in-time notices so that an individual can see the important message at that point in the journey but can also refer to further information to see if they have missed anything.
Having made any changes to the content and delivery of your privacy information as a result of user testing, you are then ready to roll it out using the tools and approaches you have selected.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
check that it actually explains what you do with individuals’ personal data;
ensure that it remains accurate and up to date; and
analyse complaints from the public about how you use their personal data and in particular any complaints about how you explain your use of it.
What if we want to use personal data for a new purpose?
If you plan to use personal data for a new purpose, you need to tell people about this before you do so. In these circumstances, you must update your privacy information to reflect what you intend to do with people’s data, and proactively bring this change to their attention before you start any new processing. In particular, you must provide people with information on the new purpose for processing, along with any relevant further information concerning:
your retention period for the personal data that you are processing for the new purpose;
the rights available to individuals in respect of the new processing;
the right to withdraw consent for the processing;
the right to lodge a complaint with a supervisory authority;
the source of the personal data (if you obtained it from a source other than the individual);
the details of whether individuals were under a statutory or contractual obligation to provide the personal data (if you collected it from the individual); and
the details of the existence of automated decision-making, including profiling (if it is solely automated and has legal or similarly significant effects).
If you do not obtain consent for the new processing, as well as updating your privacy information, you must also take into account the purpose limitation principle. This means making an assessment of whether what you plan to do is compatible with the original reason you collected or obtained the personal data.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 published the following guidelines which have been endorsed by the EDPB:
The Department for Business, Energy and Industrial Strategy (BEIS) commissioned research and a guide on how to best present information to individuals. Whilst this relates to terms and conditions generally, it contains recommendations for presenting privacy information which may be useful.