One of the defining transparency requirements under the General Data Protection Regulation is for organizations to allow individuals the right to be informed about the collection and use of their personal data. When personal data is collected, organizations must immediately provide individuals with a privacy notice including: how the data will be used, how long it will be held, and who it will be shared with.
According to the GDPR, personal data
is defined as “any information related to a natural person, or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
How to Write a Privacy Notice Under GDPR
With the GDPR taking effect in less than 50 days, organizations are focused on creating a proper privacy notice that complies with the individual’s right to be informed. Although there’s an endless list of suggestions on writing the best privacy notice, the GDPR requires notices to be
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge.
To best meet the requirements, organizations are keeping these suggestions in mind:
- Be clear and straightforward
- When choosing the wording, simple is best. Don’t be misleading.
- Avoid using jargon.
- Be considerate of the audience
- It’s likely that the individuals receiving the privacy notice do not have the same level of understanding of the organization’s policies or procedures as the person writing it.
- Be aware of the tone
- Be able to update notice efficiently
- It’s important to have the privacy notice consistent for all individuals who’ll receive it. Design the policy to have the ability to update across all platforms when necessary.
The Information Commissioner’s Office in the United Kingdom provides a detailed privacy notice checklist
to reference when verifying if the drafted policy meets the necessary requirements. Organizations can deliver privacy information
orally, in writing, through signage, or electronically in various ways including the layer approach or just-in-time notices.
Policy notices can be cumbersome, which is why the GDPR is focused on having organizations revamp documents and procedures putting the individuals’ best interests front and center.