GDPR states that a privacy notice needs to be a statement made to a data subject that describes how the organisation collects, uses, retains and discloses their personal information. The notice should be “understandable” and “accessible”. It needs to be concise, transparent, intelligible and easily accessible, and written in clear and plain English.
Here are 10 things you should consider when writing your privacy notice:
1. Map out how the information flows through your organisation and how you process it. Work out what you hold, what you do with it, what data you actually need to process.
2. Decide if you need to obtain consent. If you do, make sure it is displayed clearly and prominently, that you are asking individuals to positively opt-in, and that you provide a clear and simple way to indicate that they agree to different types of processing.
3. Your privacy notice should tell people:
- Who you are
- What you are going to do with the information
- Who it will be shared with
4. When writing your privacy notice you should adopt a simple style that your audience will find easy to understand, and which aligns with your house style.
5. Don’t assume that everybody has the same level of understanding as you, and avoid using confusing terminology or legalese.
6. Ensure that your statement is aligned with your organisation’s values and principles
7. Be truthful! Don’t offer people choices that are counter-intuitive or misleading
8. Ensure that your privacy notices are consistent across multiple platforms.
9. Go beyond the legal requirement and offer additional information, such as:
- The links to the different types of data you collect and the purposes you use it for
- The consequence of not providing information
- What you won’t do with their information
10. Make sure that you test your draft privacy notice and amend it if necessary.