GDPR: How to write a Privacy Notice – Best Practices
If anyone is under the impression that the GDPR only affects European businesses, that’s incorrect.
“The GDPR does not only apply to businesses located in the EU,” says Dana Bucy Miller, an attorney at DM Law, LLC. “It applies to any business that collects or processes the personal data of EU citizens. This means that a US company, even a small business, that processes personal data on EU citizens must comply with the GDPR.”
A major component of the GDPR relates to being transparent and providing accessible information to individuals about the collection and use of their personal data.
The good news is that if your company or organization is already compliant with 1998’s Data Protection Act, you have a head start. But you will need to make a few updates to make sure any new security policies or further disclosures need to be made known.
Before we go any further, you’ll need to figure out a couple of things:
- What is your role – are you a controller or a processor?
- What is your lawful basis for collecting and storing personal data?
These two questions will help you find out what information you specifically need to include in your website’s privacy page and your privacy notices.
Controller or Processor?
Straight from article 4 of the GDPR, the two roles are:
Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
A more straightforward way to look at this is: does your organization store the data itself, or does it just handle the data as an intermediary? Remember, Controllers may be processing data themselves, too. It doesn’t work the other way around though.
Under the GDPR, all companies and organizations must have a lawful basis for all processing and storage of personal data. Some companies or organizations might qualify for an exemption or derogation (another fancy way to say exemption). Without one, or a lawful basis, processing or storing personal data is considered “prima facie unlawful.”
Here are the lawful bases that are justified under the GDPR:
- Consent – You can collect personal data if someone consents to it.
- Contractual Necessity – You can collect personal data if it’s necessary for you to fulfill a contract
- Compliance with Legal Obligations – You can collect personal data if you have a legal obligation to do so
- Vital Interests – You can collect personal data if it’s necessary to protect someone’s vital interests (think life-or-death situations) of a data subject
- Public Interest – You can collect personal data if you are a public authority or a private company or organization acting in the public interest
- Legitimate Interests – You can collect personal data if your company or organization has a legitimate interest that doesn’t override the rights or freedoms of the data subject
- Data relating to criminal offences and civil law enforcement – This one is pretty self-explanatory
- Processing not requiring identification – You can collect personal data if you have an obligation in order to comply with applicable law.
What constitutes Personal Data?
According to Article 4 of the GDPR, Personal Data is defined as:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Additionally, there is a distinction between personal data, and sensitive personal data, which the EU calls “special categories.”
Special categories of personal data pertains to: political opinions, religious beliefs, trade union activity, racial or ethnic makeup, physical or mental health, sexual orientation, gender identity or criminal history. To process special categories of personal data, you must provide justification under one of the following legal bases:
- Explicit consent
- Employment law
- Vital Interests
- Charity or NPOs
- Data made public by the data subject
- Legal claims
- Reasons of substantial public interest
- Medical diagnosis and treatment
- Public health
- Historical purposes
- Statistical purposes
- Scientific purposes
- Exemptions under national laws
But in some cases, depending on the scope and breadth of the information you need to disclose to be compliant, it may be a more prudent move to divide your efforts across multiple pages rather than just a single privacy page.
The GDPR says that the information you provide to people about how you process their personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
Although you’re probably not going to get fined if you opt to just go with a single page—burying information in a mile-long legal document is typically not what the average person would consider “accessible.” Make your privacy notices straightforward and easy to understand, and then link to your privacy page(s) in case the customer decides they want to know more.
What information do you need to provide in your privacy notices?
|Data collected directly||Data collected indirectly|
|Identity and Contact Details of your Data Protection Officer||Yes||Yes|
|Purpose of processing including legal basis||Yes||Yes|
|Legitimate interests of your company or organization||Yes||Yes|
|Categories of personal data collected||No||Yes|
|Recipients or categories of recipients of the personal data||Yes||Yes|
|Info on transfers to third-parties along with safeguards taken||Yes||Yes|
|How long you will keep the data; how this was decided||Yes||Yes|
|The existence of each data subject’s data privacy rights||Yes||Yes|
|The right to withdraw consent (where relevant)||Yes||Yes|
|The right to lodge a complaint with a supervisory authority||Yes||Yes|
|Data source; did it came from publicly accessible sources?||No||Yes|
|Statutory and contractual obligations; consequences||Yes||No|
If you need a more explicit explanation of the categories in the table above, Article 13 Paragraphs one and two elaborate on what must be disclosed to a data subject at the point of collection:
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
Depending on the circumstances, Article 13 Paragraph 2 (a-f) states that controllers will also need to provide some of the following;
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
When does your privacy notice need to be given?
Before we go further, there’s one more thing we should review. When does a privacy notice need to be given? It depends upon which of the two aforementioned categories you fall into.
Here’s an example from the UK’s Information Commissioner’s Office:
This is GDPR compliant, but only because the ICO has a legal basis for placing a cookie beyond someone’s consent. Most businesses will have to disable the use of cookie until they receive explicit consent from the data subject.
This is still teachable though, because it does a lot of things right. It notifies you immediately that the website will be using cookies to collect various data about its users. It has an opt-in button, because consent is one of the better legal bases for collecting information. It also provides links where the user can learn more about the specifics of the ICO’s data collection, as well as a way to adjust the settings (which is also important because the GDPR gives data subjects certain rights to help maintain control over their own information).
This also shows that a privacy notification doesn’t need to be obtrusive or interrupt the user experience completely. This window slides into the bottom left-hand corner of the screen and fades away after a few seconds or when you click on the screen.
Just remember, anytime you collect data for the first time in a new way, you must notify the data subject immediately. And, once again, if your legal basis is going to be consent, make sure to disable cookie use until you receive that consent.
On the other hand, if you collect data from third party sources and not directly from the data subject, you must notify:
- Within one month, with the following two caveats:
- If you’re using the data to contact the data subject, you need to notify at first contact
- If you’re disclosing the data to a third party, you need to notify the data subject before the disclosure
Let’s talk about Consent and the GDPR
In the past, companies and organizations have been allowed to play fast and loose with user consent. That’s over in the GDPR.
“The GDPR requires obtaining explicit consent for each specific instance when data is gathered and processed. The individual must be aware of why they are providing the data and how it will be used. Having a pre-checked box will no longer be sufficient,” said Bucy Miller. “Disclaimers must identify what information is being collected, why the information is being collected, and then require an affirmative consent on the part of the individual user.”
That means that if your company is using soft opt-ins or allowing a non-action to count as consent it will have to revisit its privacy practices.
“Failure to give consent under GDPR must be viewed as an opt out,” said Greg Sparrow, Senior Vice President & General Manager, CompliancePoint. “If consent is not expressly given the organization must look to other lawful basis for processing.”
How to Write a Privacy Notice
Ok, so now you have all the specific information that you legally must include to be GDPR compliant. But you need to remember that a person is going to (ideally) be reading these security notices. Some (many) won’t, but others will. And you don’t want to scare the bejesus of them.
So now that you know what you must include, here are some things that you SHOULD include. Remember, you’d ideally like these people to consent to data collection – especially if you don’t have any other lawful basis for collecting it – so being user-friendly and frankly just friendly in general, is important.
Now, for the sake of this section it’s worth noting that different kinds of data collection generally merit different kinds of notices. Hopefully your organization has already done an audit to identify points where the data is collected and the way it flows through your organization, where it’s stored, etc. So, you should have a pretty good idea where you’ll need to make your notifications. You also know your audience, in some scenarios a simple interstitial message or a small window in the corner of the screen is sufficient.
In other instances, like if you collect data from third parties, you may have to contact someone out of the blue. When that’s the case you should start out with a few things:
- Start with who the data controller is. Ideally this is where you can introduce yourself, and in the case you’re not the controller, who you are working on behalf of.
- Get to what the purpose(s) behind the data processing is quickly, this really isn’t the time for a core value statement or something else about your business, tell people what you’re doing with their data first.
- Next, make sure you include enough information to establish that the processing is fair.
Fairness is extremely important in the GDPR, it may seem like an odd choice of phrasing, but it’s serious. There are three major components of fairness.
- Using the data obtained in a way that people reasonably expect
- Thinking about the impact and ramifications of the processing
- Being transparent and ensuring people know how their data is used
Establishing fairness goes a long way towards establishing trust. And trust leads to consent—a dangerous sentence if taken out of context. But still true.
And when it comes to privacy notices, it’s easier to establish trust by being straightforward about what data you have, why you will be using it and how you will be keeping it safe. It’s also important to add how long you’ll keep it for. If you want to go over your bona fides, do it later in the document. But also keep in mind that, unless you obtained the information indirectly, most of the people you’re notifying came to your site or filled out your form in the first place, so they are likely already aware of who you are.
What questions do my privacy notices need to answer?
As we discussed, keep in mind that you’re putting this in front of a data subject that you are trying to build trust with. You would like for them to consent to your notice. So, you’ll need to think of how your privacy notices will be perceived. You need to anticipate what questions your customers will want answered. For instance:
- What data is being collected?
- Who is collecting it?
- How are you collecting it?
- Why are you collecting it?
- How are you using it?
- Do you plan to share it?
- How long will you store it?
- What control do I have over it?
- Is this likely to affect me negatively?
- Will this cause objections or complaints?
If your data is collected indirectly you also need to make sure to do a good job letting the data subject know whether you observed it, derived it or inferred it.
I realize that’s a lot of ground to cover, but remember, you don’t have to provide it all in the initial notice. In fact, don’t try to do that. Start by giving the data subject just what they need to know (what you’re collecting and what for), then provide a link or a pop-out that furnishes the rest of the information.
Tips for writing your privacy notices
Now that’s we’ve covered what you should include and generally how you should structure your privacy notice, let’s talk about the actual writing. Here are some technical tips to help you better connect with an audience whose eyes glaze over when they start reading legalese.
For starters, you need to adopt a simple style that your audience will find easy to understand. Be clear and concise—get straight to the point. Also, don’t assume your reader has the same level of understanding as you do. Try to stay away from industry jargon and where it’s necessary to use it, explain what it means. Confusing terminology is a great way to turn a reader off.
Also make sure to do some research. Chances are, since you arrived on this page, you’re already doing some. But if not, takes some time to look at what other companies are doing with their privacy pages and privacy notices.
If you collected the data indirectly, this is where you may also want to include a value statement to help build trust, but make sure you’ve already explained what you’re doing before you start talking about yourself.
Finally, it’s a good idea to make your privacy notices consistent across all your platforms so you can simplify changes to them.
Examples of good Privacy Notices
The UK’s Information Commissioner’s Office suggests two different styles for delivering privacy notices: Layered and Just-in-Time notices. Let’s start by looking at the ICO’s example of a layered privacy notice.
Here’s the first thing data subjects will notice. It’s small and unobtrusive, and it can be expanded to provide more information. When clicked, it does this:
Notice that when this privacy notice is expanded it gives users the answer in a short, concise way that’s easy for a layman to understand. It also lets data subjects know that they may opt out of further product offers and the information being shared with third-parties. Finally, it provides a link to a dedicated page with more information.
This page is dedicated to explaining the ICO’s data collection practices. Notice the language is still simple and easy to understand. However, the ICO could have gone a little further and established how data subjects may opt out. There may be another page dedicated to consent/withdrawing consent, but ideally it should be linked to from the dedicated page.
Now let’s look at the other method the ICO suggests, Just-in-Time notifications. These notifications pop up when a data subject clicks or hovers over a text field that is harvesting information.
Often, and particularly when on an organisation’s [sic] website, people will provide personal data at different points of a purchase or interaction. When filling out a form people may not think about the impact that providing the information will have at a later date.
Let’s look at an example:
Notice how the text box opens when the user hovers over it? This is quick, to the point and invites the data subject to click through to get more information.
Modal Wrap Privacy Notifications
Of course, there are more methods than just what the ICO suggests.
“One [method], which is rapidly gaining popularity under the GDPR, is through clickwrap modals,” said KJ Dearie, a product specialist with Termly. “These windows pop up when a user enters a website and require that an affirmative action be taken, such as checking a box, that denotes a positive opt-in to data collection and an acknowledgment of that site’s privacy notice.”
Here’s an example:
One way the Times is not compliant is that the box for subscribing to the newsletter is checked by default. It shouldn’t be. The user need to take that action.
Privacy Notices on Mobile Devices
Don’t forget about your mobile site when planning and disseminating your privacy notices. A lot of web users are on mobile devices, which means your notifications need to accommodate a mobile user’s needs. Here’s an example of a mobile privacy notice from ICO:
This is an extremely well-designed notice that looks clean and provides all the information required. They’ve also approached this from the data subject’s perspective, using an FAQ format to provide users with the answers to the questions they’re asking.
If you would like to see some additional examples of good and bad privacy notifications, the ICO has produced an excellent PDF that can be found here.
Privacy Notices and Children
The web is used by everyone, including children. And sometimes those children will end up disclosing personal information without understanding the ramifications. The GDPR is very explicit about the protections that must be afforded to children. Children are considered vulnerable individuals, and you must make sure to treat them fairly. There’s that word again, fairly.
Fairly means drafting privacy notices that are geared towards the age group and level of understanding your intended audience may possess. This may also mean adding additional safeguards.
Above all else, you should never try to take advantage of someone’s lack of understanding, this goes for adult data subjects too, but given children’s status as vulnerable individuals the punishments will be even harsher.
“Article 8 covers the requirements for child consent related to GDPR,” said Sparrow. “In general, children under the age of 16 must have express consent given by the parent or guardian of that child. And Data controls must make reasonable efforts to verify that this consent if given by the parent or guardian.”
Tread carefully here.
Privacy Notices for Different Groups
Oftentimes businesses and organizations interact with a wide range of people. So, you’ll need to think about what types of relationship you have with various groups and whether or not some of the notifications you provide may just confuse them, or at the very least be irrelevant. A good example would be a DMV, it may process information for various groups, so a one-size-fits-all approach to privacy notices would likely cause problems.
As Bucy Miller said, “a blanket statement is not enough.”
If this applies to you, it’s a good idea to segment your customers and provide a tailored privacy notice for each category. This will help your customers better understand how your data privacy practices and procedures relate to them.
Privacy Notices for people who speak a foreign language
Business has gone global, so an American company operating in Europe or Asia is going to be collecting data from a group of people that don’t all speak English. You may be required by local laws to provide privacy notices in another language, but the GDPR doesn’t explicitly require it.
What are the penalties for not complying with the GDPR?
Glad you asked, the fines are steep—potentially fata for SMBs.
“The GDPR states that non-compliant companies posing a risk to EU citizens and their privacy can be fined up to €20 million or 4% of their global turnover for the previous fiscal year, whichever is greatest,” said Sparrow.
“For companies like Amazon, with a net revenue around $178 billion in 2017, they could potentially face a fine of $7.1 billion. It is important to note that this fine would be per violation. It can certainly be assumed that larger repercussions would be imposed in this hypothetical case, since case law suggests similar types of violations do not stand alone, and typically occur with others.”
Here’s the difference, Amazon can survive that hit. For a small business, a fine 10-20 million Euros is an existential threat.
“The best practices when it comes to GDPR-era privacy measures will always err on the side of transparency and user control,” said Dearie.
That’s good advice.
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown