How to write a GDPR compliant privacy notice

February 23, 2018

At an absurd total of 6,000 words, in 2010 Facebook’s privacy policy was longer than the United States Constitution. Who’s going to read and digest all that?

The GDPR aims to tackle the problem of baffling privacy notices with new demands for clarity, so people can quickly and easily understand who you are and what you’re going to do with their personal data.

This doesn’t mean you have to completely scrap your privacy notice: you can draft a clear, snappy version which links to your longer, revised main policy.

Under GDPR, your privacy notice should answer the following questions:

  • What information is being collected? Consumers should understand perhaps not every field or parameter, but they should certainly appreciate the depth of information being collected.
  • Who is collecting it? Complex corporate structures and holding companies should be made clear here – what is the consumer’s ultimate recourse?
  • How is it collected? Where does data go, and where is it being stored?
  • Why is it being collected? What are you legitimately taking it for, and where does that legitimacy stop?
  • How will it be used? And where does that usage cease?
  • Who will it be shared with? Every consumer should know if their data is going to be shared with or sold on to third parties, particularly if the context of that use is different.

Consider also the effect of the answers on the individuals concerned: is it likely to give them cause to object or complain?

A sample GDPR compliant privacy notice

The Information Commissioner’s Office (ICO) provides this sample privacy notice.

When writing your privacy notice, the ICO advises you to:

  • Use plain language and a simple style so everyone can understand
  • Avoid legal-speak or confusing terminology
  • Keep it in your house style so that it’s the approach your customers expect from you
  • Align with your organisation’s values and principles so people are more inclined to read, understand and trust your notice

It also says you should:

  • Be truthful
  • Adhere to any sector-specific rules, such as for the marketing or financial services sectors
  • Keep your privacy notice consistent across multiple platforms, and make sure they’re all updated quickly when needed. A content management system (CMS) will help.

If you’d like some help preparing your business for GDPR, check out Me Learning’s portfolio of online courses here.

Alternatively you can speak with a member of our sales team by calling 01273 499100, or by emailing us.

Similar Posts

  • Best practice for GDPR compliance

    Articles

    As the saying goes, “If you think compliance is expensive, try non-compliance”. To try and help your organisation become GDPR compliant as easily and efficiently as possible, here are five best practi

  • Health & Safety – being on top of outdoors work

    Articles

    It’s clearly a big investment. “People say, why spend all that money? Have an accident, have somebody hurt at work and then ask me about cost,” Neil told delegates. Added to the potential misery of an

  • Thinking Week

    Articles

    Whilst most of us will be tucked up on our sofas, stuffed full of Christmas food, we’ll be taking the opportunity to put the spotlight on those who are busy helping others, and those who spend Christm

  • Mental health in children – not far enough?

    Articles

    Last December, the government published a green paper on its proposed overhaul of mental health services for children. It has now published its response to the consultation, which campaigners have att