Privacy policies vs. privacy notices

Though often called privacy policies on the internet, this information transparency is often provided through a privacy notice (a policy is technically an internal document of management intention). It’s often a written document that individuals should read before collecting the data.  However, this is often a real barrier for entry, and organizations often forget that the purpose is to try and be transparent to the individual. Often these documents are lengthy, legally termed, hidden behind a link and mistaken for contractual terms and conditions — and, rather than helping with transparent processing, end up being a barrier to the individual’s understanding of how the data is processed. 

Be transparent, but don’t overwhelm

The goal is transparency, and single large documents written in legal terminology will be a high “barrier for entry” for most individuals. It’s often better to give information throughout the processing and user experience, drip-fed, little and often and remember that different forms of processing and different collection methods may well require different information.  Processing may be on different terms depending on the process (recruitment of staff, vs. employment of staff vs. providing a different product) or on the collection method (a paper form may collect different data than via a mobile phone or an internet website).

Do’s and Don’ts of data privacy notices

Here’s practical advice on some “Dos” and “Don’ts” regarding transparency when collecting personal data. Dos

Remember, the point is to be transparent Make them easily accessible, free of charge and easy to find Use a layered approach with different levels of information, from specific to general Have smaller drip-fed information on the processing Use different information for different processes, collection methods, products and services Get them to proofread by your target audience (I use a 12-year-old!) Use different media, consider signage, videos, pop-ups, balloons on forms etc. Be succinct and to the point Give them before data is collected Use visualizations, icons and links  Show/hide detailed text by clicking on the section heading, or provide a clickable index  If you got it from someone else, consider how the individual knows you have it

Don’t

Get transparency information (notice) confused with a policy Treat them like an agreement of contract Ask the individual to “agree” or “consent” to the notice Get them written by legal professionals Make them long Confuse them with a legal basis for processing Make a single large document  Make them hard to read or a wall of text Make them anything other but simple information

We can all do better and innovate in communicating with the individuals we serve. Rather than creating a pile of unattractive legal jargon that no one will engage with, we can utilize marketing and communication specialists to create communications that create positive user experiences and enhance your brand. Want to learn more about privacy? Check out my privacy courses on Infosec Skills.