Drafting GDPR compliant privacy policies is a real skill even with a complete data map in front of you.

Articles 12, 13 and 14 GDPR set out in detail the information that must be included in privacy notices.  In 2016 the ICO consulted on revised guidance for privacy notices and have updated their issued guidance to cover GDPR. They are reviewing this guidance again and hope to publish any further changes shortly. There is lots of talk of layered privacy notices and blended notices but what does this mean in practice for organisations that publish their privacy notices on their websites? Only that organisations are dependent on the functionality of their websites. If hyperlinks can be used within the privacy notice to allow readers to read the detail behind the summary then great. Otherwise, privacy notices will look and feel like online terms and conditions – lengthy, detailed, non-negotiable and very rarely read by those who use the product/website until something goes wrong.

How then can we make them interesting and readable? My view is to pretend you are a data subject reading the notice and think about what you are interested in when you are asked to provide your personal data. Here are my top 5 concerns without my data privacy hat on:

1.Is my data going to be safe?

With all the media headlines about data breaches, the genuine number one concern is does the organisation have sufficient data security measures in place and what are these?

2.Is my data going to be shared and if so with whom?

I am providing my personal data to organisation A for a reason. If there is a genuine need for it to be shared in order for that reason to be achieved/fulfilled then fine, otherwise I only want to give my personal data to those I choose to give it to. Please tell me who is going to have access to it and why.

3.How long is my data going to be kept for?

This really links into number 2. If I am buying something online and choose to check out as a guest, I only want my personal data to be kept for as long as necessary to complete my purchase and possibly deal with a return or complaint. If I am subscribing to a monthly newsletter then of course I expect my personal data to be kept for as long as my subscription is valid. The most important point here is the purpose for which you are providing your personal data.

4.Who do I contact and how if I have a concern?

Something has gone wrong – who do I contact and how. I want a name, an email address and a telephone number. I may not be confident emailing my concern so also want a postal address.

5. What are my rights when something has gone wrong or I have changed my mind?

Setting out clearly the data subjects’ rights listed in Chapter III GDPR is important but make them user-friendly. What does the right to erasure mean in layman’s terms? What is data portability and is this really relevant to the service/product you have provided your personal information to receive?

Everything else needs to be included too but make sure you structure your privacy notice carefully to capture attention, make reading it straight forward and lastly but as important to ensure it is GDPR compliant.