Trust Keith resources

Why most privacy notices suck (sorry 😬), and how to create a good one

Written by Mitchell Omer | Sep 27, 2022 2:35:23 AM

A Trust Keith event 

Privacy notices (or policies as many people call them) are not legal documents; they aren't contracts and aren't even policies. So what are they? Simply put, they’re a means to comply with the legal requirement to be transparent with what you’re doing with people’s personal data.

In this online event, Tom, Head of Delivery and Mitch, Head of Revenue discuss why your privacy notice is important and how to create a good one. 

Watch the full video here.

 

What you’ll learn 

✅ Why 95% of privacy notices suck (sorry 😬)

✅ What a good privacy notice looks like, with real life examples 

✅ How to create a good privacy notice

✅ Why it matters more than you might think

 

Privacy notices and the law 

The law when it comes to privacy notices is not quite as clear cut as it may seem. Individuals, under the GDPR and Data Protection Act have the right to be informed about the collection and use of their personal data, including things like: 

  • Your purposes for processing their personal data
  • Your retention periods for that personal data 
  • Who it will be shared with 

Often, the easiest way to comply with this obligation is to put the relevant information on your website as a Privacy Notice. There is no obligation that this is something that sits on your website but most of the time, it is the most practical and easiest way to do this. Depending on your audience, a block of text may not be the most beneficial way of presenting the information required - some companies may choose to use images or cartoons to comply - particularly if their target audience is children. 

You cannot agree or disagree with a Privacy Notice, it is a factual statement about how a company processes personal data. 

🥡 Key takeaway: A Privacy Notice is NOT a contract and is NOT the same as T&Cs. Do not write it as such. 

 

What not to write 

 

We’ve all seen this classic privacy notice - on websites and as a template available online. Full of legalities and detail, it lacks the simplicity required to comply with the right to be informed. Privacy notices should be clear and simple.

What’s a good Privacy Notice?

To count as a good privacy notice, it has to be: 

  1. Concise 
  2. Transparent 
  3. Intelligible 
  4. Easily accessible

Ask yourself: 

  • Can I understand this? Particularly important if you are outsourcing the task - do you understand?
  • Would the average person understand it? 
  • Do I need something simpler/easier for children? I.e. cartoons/videos that make it easy for children to understand the use of their data 

Examples of a great privacy notice 

Juro

A well-known privacy policy in this space (famous, as some - ahem, Tom - would say), the Juro Privacy Policy is praised for its ease of use. It’s one that checks all the boxes we outlined above, although it is a little long. 

✅ It’s well-structured and easy to navigate. The policy has an attractive UI/UX 

✅ The lawful bases are well defined and easy to read - users have a clear idea of exactly why their data is being processed and collected 

✅ While quite long, users are able to decide the level of detail they require, with multiple dropdowns throughout the policy. 

 

ASOS

A slightly different approach to privacy notices, well-known retailer ASOS stand out with their simplified approach - using video as the first port of call on their privacy page. 

✅ It has a simple approach, using a video and bullet points, that is easy for all to understand - with a longer, more detailed policy outlined further down the page 

✅ The policy clearly explains what they do, why they do it and why they need to do it from a legal standpoint 

✅ It uses plain language and is pretty straightforward for anyone to understand

✅ It is on brand for ASOS and is a market differentiator 

 

Trust Keith

We wouldn’t be privacy experts if we didn’t feature our own notice as an example, would we?! 

✅ The layered system for sharing information lets users decide exactly what information they want to see more of 

✅ It’s concise and simple: our privacy notice is short and sweet - covering the most important information for those that engage with our website, events or content without skimping on what’s legally required.

 

How to create a Privacy Notice… properly

Before you sit down to write your privacy notice, you first want to map out the data you process, including: 

  • What you collect
  • How you collect it 
  • Where you store it 
  • Who you share it with 

While it might look complex, it’s actually relatively simple. In the example above, the green highlights personal data and the blue is the systems it goes to. It’s a simple way to break down the user journey and exactly where and how data flows through the business in a digestible format. 

It’s easier to do this by looking at the data journey; think about the first communication you have with a data subject - how do they contact you? What data do you collect? Where do you store that data? Asking these questions and taking the journey step-by-step is the best way to get a good overview of your collection and use of personal data. 

At this point, you should also think about putting together your Records of Processing Activities (RoPA) - a legal requirement under article 30 of the GDPR. This is a useful document that your data mapping will inform. When done well, your data mapping will inform your RoPA, which in turn informs your Privacy Notice.  

About Trust Keith 


Trust Keith helps founders save the time, energy and ambiguity of managing data protection themselves. We know first-hand the importance of getting it right and at the same time not allowing it to overtly impact business-as-usual. We’re here to change the conception that data compliance is “boring” and “unsexy”, helping fast-growth scale-ups effortlessly navigate the complex world of compliance and focus on scaling their business with confidence.