Management, compliance & auditing

Privacy dos and don'ts: Privacy policies and the right to transparency

Ralph O'Brien
April 20, 2022 by
Ralph O'Brien

For an individual to use their privacy rights, they have to be aware that the organization is processing their data and how they are doing it. This right of transparency extends to the individual regardless of why the organization holds the data. It is essential that how, why and who processes the data is made clear to the individual.

Privacy policies vs. privacy notices

Though often called privacy policies on the internet, this information transparency is often provided through a privacy notice (a policy is technically an internal document of management intention). It's often a written document that individuals should read before collecting the data. 

However, this is often a real barrier for entry, and organizations often forget that the purpose is to try and be transparent to the individual. Often these documents are lengthy, legally termed, hidden behind a link and mistaken for contractual terms and conditions — and, rather than helping with transparent processing, end up being a barrier to the individual's understanding of how the data is processed. 

Be transparent, but don't overwhelm

Companies often confuse being transparent with writing a single large document to try and cover all of their processing, which mistakenly becomes a barrier to transparency rather than a benefit. There is no problem with having an extensive data protection FAQ, but this should be a secondary source after giving tailored information specific to the processing concerned.

The goal is transparency, and single large documents written in legal terminology will be a high "barrier for entry" for most individuals. It's often better to give information throughout the processing and user experience, drip-fed, little and often and remember that different forms of processing and different collection methods may well require different information. 

Processing may be on different terms depending on the process (recruitment of staff, vs. employment of staff vs. providing a different product) or on the collection method (a paper form may collect different data than via a mobile phone or an internet website).

Do's and Don'ts of data privacy notices

Here's practical advice on some "Dos" and "Don'ts" regarding transparency when collecting personal data.

Dos

  • Remember, the point is to be transparent
  • Make them easily accessible, free of charge and easy to find
  • Use a layered approach with different levels of information, from specific to general
  • Have smaller drip-fed information on the processing
  • Use different information for different processes, collection methods, products and services
  • Get them to proofread by your target audience (I use a 12-year-old!)
  • Use different media, consider signage, videos, pop-ups, balloons on forms etc.
  • Be succinct and to the point
  • Give them before data is collected
  • Use visualizations, icons and links 
  • Show/hide detailed text by clicking on the section heading, or provide a clickable index 
  • If you got it from someone else, consider how the individual knows you have it

Don't

  • Get transparency information (notice) confused with a policy
  • Treat them like an agreement of contract
  • Ask the individual to "agree" or "consent" to the notice
  • Get them written by legal professionals
  • Make them long
  • Confuse them with a legal basis for processing
  • Make a single large document 
  • Make them hard to read or a wall of text
  • Make them anything other but simple information

We can all do better and innovate in communicating with the individuals we serve. Rather than creating a pile of unattractive legal jargon that no one will engage with, we can utilize marketing and communication specialists to create communications that create positive user experiences and enhance your brand.

Want to learn more about privacy? Check out my privacy courses on Infosec Skills.

Ralph O'Brien
Ralph O'Brien

Ralph is a trusted advisor on Global Privacy and Security compliance, practices and management. His experience includes strategic GDPR adoption programs, advisory services and assurance delivery in global multinational environments.

He has worked in a wide variety of industry sectors including Defense, Public Sector, Pharma and Financial Services, representing both multinational corporations and boutique specialist consultancies.

He continues to be a hands-on practitioner, combining business-level consultancy with training and technical experience. He was responsible for the first global joint 27001/25999 management system to be certified. With a focus on business processes and the protection of information, and an ethos of management assurance, risk management and knowledge transfer he continues to ensure effective protection of assets appropriate to the business needs of the client.