Are there different ways we can provide privacy information?
Yes, you should not necessarily restrict the delivery of privacy information to a single notice or page on your website. The term ‘privacy notice’ is often used as a shorthand term, but rather than seeing the right to be informed as being about delivering a single notice, it is better to think of it as providing privacy information in a range of ways. You can provide this information through a variety of media:
Orally - face to face or when you speak to someone on the telephone (it’s a good idea to document this).
In writing - printed media; printed adverts; forms, such as financial applications or job application forms.
Through signage - for example an information poster in a public area.
Electronically - in text messages; on websites; in emails; in mobile apps.
It is good practice to use the same medium you use to collect personal data to deliver privacy information. So, if you are collecting information through an online form you could provide a just-in-time notice as an individual fills in the form. You can combine this with more detailed information on your website, accessible through a clear and prominent link on the online form.
Example
A retailer collects personal data on an online form. It provides individuals with a message at the point they enter their email address explaining that they will use it for order processing (the purposes of the processing). The message has a prominent link to more detailed information telling individuals that they will share the email address with an external courier company (the recipient) and they will keep it for two years (the retention period).
A blended approach, such as this, is often the most effective way to provide privacy information. Where appropriate, you should incorporate a variety of techniques, taking advantage of all of the technologies available to you. Examples of techniques you can use include:
a layered approach;
dashboards;
just-in-time notices;
icons; and
mobile and smart device functionalities.
It is often beneficial (and sometimes necessary) to consider these solutions as part of a DPIA. Always remember to focus on the individual when you make decisions about the way to deliver privacy information.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are l no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 published the following guidelines which have been endorsed by the EDPB:
A layered approach to delivering privacy information typically consists of providing people with a short notice containing key information, such as the identity of your organisation and the way you use the personal data. It may contain links that expand each section, revealing a second layer, or a single link to more detailed information. These can, in turn, contain links to further material that explains specific issues, such as the circumstances in which personal data may be disclosed to the police.
A layered approach is useful as it allows you to provide key privacy information immediately and have more detailed information available elsewhere for those that want it. This is particularly valuable when there is limited space to provide more detail, or if you need to explain a complicated information system to people. There will always be pieces of information that are likely to need to go into the top layer, such as who you are, what information you are collecting and why you need it. What else goes into which layer will depend on the type of processing that you undertake. The ICO considers that data controllers have a degree of discretion as to what information they consider needs to go within each layer, based on the data controller’s own knowledge of their processing.
Regardless of how you choose to layer your privacy information, you must treat people fairly. This means considering what people might (or might not) reasonably expect you to do with their personal data, and how your processing may affect them. Therefore, the top layer should always give people prominent, early warning of any use of their information that is likely to be unexpected, objectionable, or significantly affect them.
If you are unsure whether what you plan to do with personal data would be reasonably expected or have significant effects, there are a number of things you can do to get a more informed picture about your customers:
Consult with your customers as part of a data protection impact assessment.
Undertake more general research with the wider public, explaining what you would like to do and from that gauge whether or not they would reasonably expect you to do what you’re planning. You could use focus groups or online questionnaires.
If you are planning on doing something similar to what you have done in the past, review whether you had any issues when implementing new processing or if you received a lot of complaints about it.
Look at the experience of others in your sector or industry to see if there has been an approach that has been welcomed by customers or worked particularly well.
Using a layered approach works very well in an online context, where it is easy to provide a prominent front page link. It is also useful if you have further sectoral requirements that mean you need to present other information in addition to the privacy information. For example, information regarding fraud in the financial sector. As this increases the amount of information you have to provide, it is even more important that you present it in a clear and engaging manner.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are l no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 published the following guidelines which have been endorsed by the EDPB:
A dashboard is a preference management tool that can give people a place from which to manage what is happening to their personal data. For individuals it allows them to alter settings, so that (where consent is relevant) they are able to clearly indicate that they agree to the particular processing or data sharing. It also allows for individuals to provide consent and revoke it over time, as processing develops or if they change their minds. This can help you to meet the UK GDPR’s requirement that consent must be as easy to withdraw as it is to provide.
It is good practice to link to your dashboard from the places where you give people privacy information. This allows individuals to manage their preferences and to prevent their data being shared where they have a choice. You can also embed, or link to, your privacy information from within the dashboard itself. If you process personal data across a number of applications or services, this will help people to stay informed, and maintain control over, what is happening with their personal data, all in one place. See below for an example of how this can be done in practice.
Building individuals’ awareness and confidence in tools like dashboards is likely to make them more informed and better placed to engage with messages about what is happening to their information and how to manage it. Ultimately this should help to build trust and confidence with your customer.
A well designed and easily accessible dashboard is also an excellent way to allow individuals to exercise their rights, something that the UK GDPR requires you to do. For instance, you can use your dashboard to allow people to object to a particular use of their information, or access a copy of their personal data in a re-usable and machine readable format.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues
WP29 published the following guidelines which have been endorsed by the EDPB:
A just-in-time notice appears at the point where an individual provides you with a particular piece of information. The notice gives the individual a brief message explaining how you will use the information they are about to provide.
Just-in-time notices are particularly useful when people provide personal data at different points of a purchase or interaction, often on an organisation’s website, when filling in a form. People may not think about the impact that providing the information will have at a later date. Just-in-time notices help to resolve this issue by providing relevant and focused privacy information in such situations.
These notices can be most effective when used in combination with other techniques, ensuring that individuals who want more information are easily able to access it.
The individual can either choose to carry on with the basic information or click on the link to find out more information. This can expand the box or direct them to another page to explain in detail what you will do with the personal information they have provided.You can achieve a similar result using the hover over feature when completing fields in an online form.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
While it is not a legal requirement, the UK GDPR says that you can provide privacy information to individuals:
“…in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing.”
The European Commission (the EC) is empowered to set out how to provide standardised icons, and what they should represent. Although the EC is yet to do this, you can still use icons effectively in the meantime. Icons can be very useful, for instance, for indicating to individuals that a particular type of data processing is occurring.
Example
An icon indicating that information will be used for marketing appears when an individual inputs their email address into an online form. Hovering over the icon reveals the word ‘marketing’, and clicking on it directs the individual to a more detailed explanation of what will be done with their email address.
You can also use icons as useful reminders that data processing is taking place, especially if that processing is intermittent. This approach is often used on smartphones to indicate whether or not a particular app is processing location data, by placing a recognisable icon in the status bar.
The design of any icon is important as you need to make the messages they convey as clear as possible. Use icons consistently and make sufficient information available so that people understand what they mean; you should produce a key to the icons that can be accessed easily by users.
It is also important to limit the number of icons you use, as people are unlikely to take the time to learn what a large number of different icons mean. If you are a large organisation, it might make sense to have a single set of icons that you can use across all of your operations. The icons can be designed with your brand in mind so that they fit with the look of your websites.
Bear in mind that if your icons are presented electronically, the UK GDPR says you must make them available in a machine readable form. This means that electronic devices can ‘read’ the information the icon conveys.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
How can we provide people with privacy information on mobile devices?
Mobile devices such as smartphones and tablets have limitations in relation to the delivery of privacy information. The primary issue is the size of the screen.
You must ensure that any information delivered on mobile devices is as clear and readable on a smaller screen as it would be on a more traditional computer or laptop screen. The text should be large enough to read and people should not have to zoom in to see it. Information should fit on the screen as normal.
A useful tool for this is responsive web design. This allows you to create a website that can change the information on the screen to the optimal setting for viewing that information, depending on the type of device it is viewed on.
The limited screen space on mobile devices also underlines the importance of using a combination of techniques to deliver privacy information. Icons and layering for instance lend themselves well to smaller screens, ensuring that information is presented concisely.
The use of video to convey privacy information is also particularly suitable for smaller devices as lack of space for text is not an issue. Although you are unlikely to be able to convey all the necessary detail in a video, you can direct individuals to more detailed information as appropriate. Keeping the video short and to the point will also avoid any issues individuals may have with data usage if Wi-Fi isn’t available.
As well as considering the limitations of mobile devices, you should also look to exploit the unique functionalities that they offer when delivering privacy information. You can use:
pop-ups to deliver just-in-time notices;
voice, sound and vibration (or haptic feedback) alerts to indicate certain uses of data (eg wifi or location tracking);
pressure sensitive displays to allow individuals to access additional layers of privacy information without leaving the page they’re on; and
common mobile device gestures, such as swiping, to reveal more detailed information or to control different uses of data (eg swipe right to consent to marketing).
Always remember to put the individual at the heart of what you’re doing. Try not to adopt approaches that people won’t find intuitive or that result in giving individuals constant alerts regarding their information. This is where a link to a dashboard or preference management tool may be helpful, so people can choose their own settings.
What about the Internet of Things and other smart devices?
Other types of smart device present their own problems for the delivery of privacy information. Internet of Things (IoT) devices such as home assistants, connected toys and smart metres often don’t have screens on which to provide individuals with written information.
As with mobile devices, you should use a combination of techniques and adapt your approach to cater for the unique limitations and opportunities that IoT devices present:
Use the audio functionality of IoT devices to provide key privacy information through device speakers, complemented by more detailed information available in a written notice.
Inform individuals when a smart device is observing or recording them using a red light or a sound alert.
Use icons on the device, or packaging, to inform individuals how their personal data will be used.
Link, or send, more detailed privacy information to a device with a screen, using wirelessly technology such as Bluetooth, QR codes, SnapTags or NFC.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
The Department for Business, Energy and Industrial Strategy (BEIS) commissioned research and a guide on how to best present information to individuals. Whilst this relates to terms and conditions generally, it contains recommendations for presenting privacy information which may be useful.