Does your Privacy Policy do what it should?

There’s a lot of confusion over Privacy Policies. Some people have bought “off the shelf” policies and others don’t have one at all.

We all have “the right to be informed”, we also have other rights – you can read about them here.

The Information Commissioner’s Office has the definitive guide on what you need to cover in a privacy policy: click here for more information.

Andrew Roberts our Data Protection expert tackles, in this blog, some of the subtleties and areas where people tend to get privacy policies wrong.

Why do we need a Privacy Policy?

First, why do you need a privacy policy? In data protection, the foundation stone of your approach should be the balancing of the needs of your organisation (to make money, create awareness, etc) with the rights, freedoms and expectations of the data subject (the person who buys from you, or might buy from you, or has bought something from you).

Rights

The main ‘right’ that you need to consider in this balancing, is the data subject’s right to be informed. The privacy policy is the main public-facing way that you can inform the data subject how you’re processing their data.

Whenever your organisation is communicating with the data subject, make sure they can access the policy.

Most people put a document or page up on their website with a link in the footer, which is good, and allows people to check how you’re processing data even if you aren’t communicating with them.

When you are communicating directly with people on email, you also need to let people know how to see what you’re doing with their data.

The easiest way to do this is to make sure there is a link in all of your emails (whether in Outlook or Gmail signatures or in your MailChimp or Transpond email footers) so that the data subject can look at the privacy policy if and when they want to.

Note that this relates to all types of emails – individual sales emails, marketing campaign emails, or internal emails to employees; the recipients for all of these emails should have a mechanism to get access to your privacy policy.

You do not need to send out your privacy policy to people as an attachment. A multi-layered approach (having a link in an email, or even telling people where to go to get to your policy) is specifically allowed and encouraged – it’s much easier to digest a policy you elect to look at rather than having one pushed into your face.

The website policy

One issue that I have seen quite often is that privacy policies only, or mainly, cover the processing of data that relates to the website. Policies like this focus on cookies, how contact us forms might capture data, and other ways that data that only relate to the website is captured, stored and managed.

This is often the case when website designers create the privacy policies as a part of setting up the website.

The public-facing privacy policies should cover all of the data you are processing, whether linked to your website or not.

Clear information

Privacy policies should never be (but often are) approached with an attitude of posterior protection – privacy policies are not a contract between you and the data subject.

The policy is your shop window to show the data subject what, who, how, where, when and why you are processing data. You are processing their data, and as a part of that transaction, one of your obligations is to provide a clear and succinct message that tells the data subject how their data is being processed.

Clarity of language is important (use plain English, not legalese), as is the tone of the document. “By using this website, you agree to…” is not appropriate in a privacy policy.

Structure

When structuring the policy, consider what the data subject would want to know.

The data subject will often fall into one or more categories, and main ones are usually the ones below, but you may well have others:

  • Prospects (including ex-customers),
  • Customers,
  • Employees,

I recommend separating out how you process data for the specific purposes and grouping them under these categories. You may be processing data for more than one reason for a given type of data subject; this is fine. A single individual can have their data processed under more than one category.

When documenting the information on how you process data, follow a set pattern in each section, both for ease of understanding, and for ease of update. For example:

  • A description of the category: “We capture information on individuals in customers and prospective customers who are buying or interested in buying products from us”.
  • Why you are doing this: “We process this data so that we can engage with the individuals to provide their organisations with our services”.
  • How: ” We capture this information either directly or through our website or from their contact to us using email or telephone”.
  • What: “includes basic contact details such as name, telephone number and email address”.
  • What legal basis you’re using to process the information and how you justify that.
  • Whether you also capture special category or criminal offence data, why and what reasons you’re using to do so.

Employee privacy

Some people separate out how they process employee data in a separate privacy policy so that:

  • The general public doesn’t see the information on employees, and
  • Employees can have access to the information in relevant documents like the employee handbook.

This is an adequate approach, but I prefer the information to go into the web-based privacy policy, simply so that ex-employees can see the information as well, and all information is in one place if you want to update information.

Employees are statistically one of the most significant causes of problems when it comes to data protection; disgruntled employees or ex-employees can soak up time and resource in ‘weaponising’ their right to access (known incorrectly as a Subject Access Request or SAR – it’s not a ‘request’, the data subjects are exercising their rights) as one example.

Transparency is good

Despite the temptation to obscure how you process data, having greater transparency in how you manage data protection is a help to any data protection issue, rather than a hindrance.

Keep your privacy policy up-to-date so that it covers all your data processing.

 

If you need any help with your Privacy Policy, or any aspect of data protection’s how, what, when, why, who or where, Blake Consultants is here and can help.

Please contact us on hello@blakeconsultants.co.uk or call us on 01635 592020