How to draft a PRIVACY POLICY in crystal-clear & plain English?
Christophe Boeraeve
International lawyer & Member of the Litigation Chamber of the Belgian Data Protection Authority
Join us in drafting, editing, rewriting or clarifying crystalline Privacy Policies!
The simplest solution is always the best. The easier it is, the better!
Excerpt from the European Commission's Drafting Guide available in all official EU languages!
Do you want to comply with the GDPR and, in particular, write a privacy policy to inform your users/customers of their rights in understandable terms?
You have read articles on the subject, which give you theoretical advice, participated in seminars, conferences & other workshops...
Still, you do not know how to put these tips & advice into practice?
We help you out with illustrations and several practical and useful tips & links.
1) A privacy policy... Sure but why?
A privacy policy is essential in order to provide your users with complete information about the data processing you perform in relation to them.
By writing a sound privacy notice, you are complying with the information obligations set out in articles 12, 13 and 14 of the GDPR (CHAPTER III - Rights of the data subject - Section 1 - Transparency and modalities).
That's one more validated step in your saga towards compliance!
Okay, now you understand the importance of such a policy, but what does it have to list?
2) Which elements should be included?
The information that must be communicated to your users is listed in the aforementioned GDPR 12,13 & 14 articles, including inter alia:
- the identity and the contact details of the controller and, where applicable, of the controller's representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organization;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to the processing as well as the right to data portability;
- ...
Not only must this information be communicated to your users/customers/suppliers,... but it must also be communicated in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
And here is a demonstration by the example of the "policeman", the Belgian Data Protection Authority (DPA) in charge of the protection of our private lives & personal data, when the authority addresses children:
... Or the ICO's (UK's Data Protection Authority) well established didactics:
Privacy notices
- Our privacy notices are clear, and presented in plain, age-appropriate language.
- We use child friendly ways of presenting privacy information, such as: diagrams, cartoons, graphics and videos, dashboards, layered and just-in-time notices, icons and symbols.
- We explain to children why we require the personal data we have asked for, and what we will do with it, in a way which they can understand.
- As a matter of good practice, we explain the risks inherent in the processing, and how we intend to safeguard against them, in a child friendly way, so that children (and their parents) understand the implications of sharing their personal data.
- We tell children what rights they have over their personal data in language they can understand.
And as searching for English (native) speaking Authorities, the US Federal Trade Commission :
Or the Irish Data Protection Commissioner
The information shall be provided in writing or by other means including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is demonstrated by other means.
Our original 6 c's method? boils down to ALWAYS take the advice of the "policemen" - or Data Protection Authorities - such as the ICO (UK), CNIL (France) or the APD (Belgium):
Transparency can lead to a very large amount of information and therefore through exhaustiveness to make this information indigestible, unclear, too long.
The data subject may be discouraged and no longer read, producing the opposite effect.
ICO Guidance in "Plain English" has long been available on their website:
Where should we start?
Before you start drafting your privacy information, you need to know what personal data you have and what you do with it. To help you with this you may need to do an information audit or data mapping exercise. You should map out how information flows through your organization and how you process it, recognizing that you might be handling several different types of processing.
You may already undertake this type of audit or mapping exercise as part of your existing data governance framework or as part of documenting your processing activities under Article 30 of the GDPR. If this is the case, you may incorporate the privacy information & transparency requirements into this process.
You should work out:
- what information you hold that constitutes personal data;
- what you do with the personal data you process;
- why you process the personal data;
- where the personal data came from;
- who you share the personal data with; and
- how long you keep the personal data for.
Once you have an understanding of the above, you can build on this by addressing some of the more specific questions that you need to be able to answer, such as:
- Which lawful basis do you rely on for each type of processing?
- What are the legitimate interests for processing (if applicable)?
- What rights do individuals have in relation to each type of processing?
- Is there a legal or contractual obligation for individuals to provide personal data to you?
- Do you make solely-automated decisions about people that have legal or similarly significant effects?
You also need to think about your audience, as this will help you keep your information clear and easy to understand.
3) How to present this information?
- Target your reader/viewer: it is her who should be interested and informed!
- Imagine the questions she might have and answer them
Examples: "What are the objectives of this policy? "Who is it intended for? ?
To learn more and follow the recommendations of the European "policeman", read this clear and concise guide:
- Give her only the information she needs (via multilayered policies)
- Describe the information in a concrete way and not subject to interpretation
- Structure your text with paragraphs, bullets and indents to make it easier to understand
- If your privacy policy is available in several languages, make sure that the translation is of high quality, so that the translated text is easily understandable, with the same meaning.
4) Avoidable mistakes
- Avoid legal jargon and prefer common language: YOU as a manager of your company are best able to communicate on its products and services, the purposes of your data processing, their sharing within or outside the EU, the way in which the data subject can exercise his rights,....
- Avoid complex sentence & structures
- Avoid the terms "sometimes", "often", "may", "possible" which imply indeterminacy
- Avoid repeating yourself, e.g. you mention the GDPR Regulation, write out the full name once only (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) then refer to either the Regulation or GDPR : ‘This issue of transparency & information of the data subjects is key to the Regulation. The GDPR obliges data controllers/processor to ...’.
5) Render to Caesar the things that are Caesar's
Our 6 C'S? method returns to Caesar what belongs to Caesar.
You will find below the websites of the various French-speaking Data Protection Authorities as well as those of the National Authorities responsible for Information Systems Security:
COMMISSION NATIONALE INFORMATIQUE ET LIBERTES
NATIONAL AGENCY FOR THE SECURITY OF INFORMATION SYSTEMS
CENTRE FOR CYBERSECURITY BELGIUM
NATIONAL COMMISSION FOR DATA PROTECTION
NATIONAL AGENCY FOR THE SECURITY OF INFORMATION SYSTEMS LUXEMBOURG
And their privacy policies...
6) Conclusion
The "Holy Grail" is to write a comprehensive & easily understandable privacy policy.
This is not an easy result to achieve, but there is one golden rule: The simplest solution is always the best. The easier it is, the better!
This exercise made mandatory by the GDPR will require application and effort in time, energy and possibly "neurons"... or money.
However, having a solid privacy policy is a key step (see ICO's 12 steps, CNIL's 6 steps, the CNPD's 7 steps or the 13 steps of the Belgium Data Protection Authority) towards compliance with the GDPR and an essential tool for communicating with your customers.
A precious asset that a company cannot do without.
Many professionals are at your side to help you in case of need (and don't forget the "policemen" and their websites, advices and other leaflets... free of charge)!
