Supervisory authorities encourage you to use the following elements — perhaps with icons to draw attention — to communicate your privacy notice to data subjects:
- Layered privacy notice: This layout makes the text easier to read and understand by “chunking” the text under text underneath collapsible headings that can be expanded to reveal more information, as shown in the following figure. The text of a section is hidden until you expand it by clicking the plus sign (+). This makes the privacy notice easier to navigate and to read because the user doesn’t encounter a lengthy, plain text document.
- Privacy dashboard: A dashboard gives data subjects control over certain privacy settings and can be used to allow them to provide (and withdraw) consent, as shown in the following figure. You should provide links to the Privacy Notice from each of the various preferences to explain how the data would be processed.
- Video: A short video clip can be an effective and appropriate way to communicate your privacy notice to data subjects. You can view this great example of a video privacy notice, prepared by The Guardian (a daily newspaper in the UK).
- Just-in-time notice: This box on your website pops up at the point where a data subject provides personal data. The notice, as shown in the following figure, gives brief details of how the data is used and provides a link to the full privacy notice.
Often, the technology required for the items in this list — the time and cost of producing videos, for instance — acts as a barrier to small businesses producing privacy notices along these lines. That means small businesses get by with having a web page with a privacy notice in normal text, without any layering, dashboard, or video — and that’s fine. The fact that you don’t have all the bells and whistles doesn’t mean you won’t be compliant.
When it comes to just-in-time notices, however, suppose that you’re collecting personal data via your website (for example, through a customer support enquiry) and you decide to obtain consent by virtue of a tick box because you are also going to use their data to send them a newsletter. In this case, you need a technical solution to obtain that tick and keep a record of that consent. Fortunately, affordable solutions do exist, such as Lead Pages, Optimizepress, Click Funnels, Mailchimp, and Aweber, to name but a few.Some organizations may think it appropriate to add this wording below the sign-up box: “We will never share your information with third parties.” It’s likely that this isn’t an accurate reflection, because the vast majority of businesses, no matter their size, will share certain data with third party data processors, such as cloud service providers or email service providers. What they likely mean, however, is that they won’t share your data with third parties so that those third parties can spam you. You might use this wording instead: “We will never sell your data to third parties.”
You might be tempted to copy another business’s privacy notice to save time and money. However, I advise against doing this, for these three reasons:
- No two businesses’ use of personal data will be the same. If you copy the privacy notice of another business, you won't reflect the true data flows and true position about the way you protect personal data within your business. You need to carry out your own data inventory and ensure that all that information is properly reflected in your privacy notice.
- Copying another business’s notice may infringe on their intellectual property rights (or those of the lawyer/attorney who drafted it). This could result in a claim being brought against you.
- Paying pure lip service to data protection and not putting it at the heart of your business will be looked on unfavorably by any supervisory authority. If, during an audit or in the course of investigating a complaint, a supervisory authority sees that you have merely copied a privacy notice from another business, it may take enforcement measures against you, such as by serving an enforcement notice or issuing a fine.
Enforcement notices are made public. Even though you may not be fined, this can still potentially have a negative impact on your reputation when your customers discover it — or when your competitors advertise it for you.
Communicate your privacy notice
If you’re collecting personal data directly from the data subject, the information included in the privacy notice must be provided at the point of collection of the data.It’s a common misconception that you need people to "agree" or "consent" to your privacy notice: That is not the case. Consent is just one of the lawful grounds of processing personal data. Asking for consent to the whole privacy notice will not be “informed consent” and therefore will be invalid. You merely need to advise people of what’s in your privacy notice, not obtain their consent or their agreement to it.
You'll need a separate privacy notice for employees, which is typically provided directly to them rather than on your website.
Communicate via email
If you haven’t obtained the personal data directly from the data subject — maybe you obtained it from an online business directory, for example — you must link to your privacy notice in the first email that you send them.You should check that you are legally allowed to email such data subjects without their consent.
Even though you may have already provided your privacy notice to data subjects at the time that they provided you with their data, it is a good idea to include a link to your privacy notice in the footer of each email you send.Communicate via your website
If you have a website, it’s the obvious place for you to display your privacy notice. Typically, you do so with a link to the privacy notice in the footer of each page of your website, as shown in the following figure. I recommend providing this link at all points where you collect personal data, such as a newsletter sign-up box or your contact form.Communicate over the phone
If you’re collecting personal data over the phone, you should refer people to your privacy notice. Typically, this is done before the call is started, with a recorded message that’s delivered during a holding period. You can provide brief details of the most important parts of the privacy notice, such as the right to opt out of marketing communications, and then refer callers to your website for the full privacy notice.Communicate in person
If you collect personal data in person (for example, in your store or at an event), you should make the privacy notice available at this point. It’s sufficient to have a sign with brief details of the privacy notice and a link that refers people to the privacy notice on your website. You could also keep a printed copy of the privacy notice behind the counter, in case someone wants to read it because they can’t access the website.If you collect business cards at a networking event, perhaps by way of a prize drawing to garner more cards, you must post a sign with brief details of the privacy notice and a link that refers people to the privacy notice on your website. Again, consider having the full privacy notice in hard copy so that people who can’t access the version on your website can review it if they want.
You can, in theory, provide all of your privacy notice orally. To include all the information set out in the GDPR, however, you would be speaking for a long time. And, you would need to keep a record of having provided the requisite information (and of any relevant consents provided to you orally).