Privacy Policies – Bridging the Gap

How to write a privacy notice that people want to read



 

When the General Data Protection Regulation (GDPR) landed in 2018 the data protection landscape changed. Whilst legally it didn’t actually represent a massive jump from what was there before, the focus that was placed on data and the eye-watering fines meant that data protection quickly rose up the agenda in most boardrooms. 

Fast forward to 2020 and whilst interest from the media has quelled, the threat of fines is still there.  More importantly, individuals and businesses have been left understanding that they have a right to have their data protected. Expectations have been raised. Data protection is no longer something that people (or businesses) ignore. 

The Right to be InformedMind the Gap 

One of the key principles of GDPR is that individuals have a right to be informed about how their data is collected, processed, and used.  The legislators, perhaps foreseeing the gap between lengthy legal documents drafted by lawyers trying to tick every box and users trying desperately to understand what was written, issued a warning. 

Information must be provided in a way that is: 

  • Concise 
  • Transparent 
  • Intelligible
  • Easily accessible; and (this is the big one!) 
  • Use clear and plain language 

Now, this is music to the ears of all lawyers trained in legal design.  It’s what we do! It’s what we have been saying should be the case not just for privacy notices, but for all legal documents.  Shouldn’t that list of things be true for all legal documents?  

The ICO goes even further and provides best practice as to how the information should be delivered. They suggest: 

  • A layered approach 
  • Dashboards 
  • Icons 
  • Mobile and smart device functionalities 

A shift change? 

At the back end of 2018, The Law Gazette reported that Juro’s website privacy policy had received 16,000 visitors. What!!?? Yes, that’s not a typo, 16,000.  Had they inadvertently included a rude word or image? Had they been the subject of a breach that attracted interest? No. They had merely used legal design to deliver what the legislators had in mind. They had managed to create a privacy notice that was clear, concise, accessible to users and which didn’t include all the legalese that we have all come to expect from lawyers.  It was best in class. 

That’s great, that must mean that everyone has followed that approach. Well, not quite. It doesn’t take long to find an example of a long-winded privacy policy. Don’t believe us? Have a look at the last few websites you visited. Did the privacy policy at the bottom leave you delighted? Were they on brand? Did they confirm why it is you do business with them? We suspect the answer to all those questions is, sadly, no.  

They were probably rather boring, lacking in inspiration and likely looked like an afterthought. Why? Well, because to find a privacy policy like Juro’s is still the exception and not the rule.  Most firms have taken easily accessible to mean “produce a lengthy document but hide the content in concertina fashion so that people are lulled into a false sense of security”. 

But it’s just box-ticking 

We get it, privacy notices are just another of those things on the to-do-list that need to be done.  You know you must have one, but they don’t warrant much more than a standard-form contract template. Do they? 

We believe that privacy notices provide organisations with an opportunity. They provide an opportunity both internally and externally.  Most firms haven’t seized that opportunity, which makes it even bigger for those that do. 

The internal opportunity 

Firms need to know what the privacy notice contains. That sounds obvious, but let’s think about that for a moment.  

The privacy notice is your company’s promise to its clients and other individuals that it engages with. It is the culmination of your data story. It documents what you do as a business. If you break your promise those individuals willrightly, have a reason to complain.  As we have already noted that not only damages your relationship with that individual, it also leaves you exposed to eye-watering fines and potentially even more eye-watering reputational harm.  Even in a best-case scenario you are likely to have some negative social media arise. 

Having a privacy policy that all your employees can understand and engage with, not just those in the legal or compliance department, increases the likelihood that everyone will know what they need to do with data. This isn’t just the right thing to do, it provides your firm with an opportunity to build trust with your key external stakeholders. It makes you best in class. 

The external opportunity 

Legal Design is where design-thinking and legal compliance meet, marry and have children. The result is legal documentation that not only fulfils what is needed from a regulatory standpointbut legal documentation that fulfils what your brand stands for. It speaks to your customers and potential clients in the same way and with the same force that your marketing does. It draws people in and confirms to them why they are doing business with you.  

In the context of privacy notices, it goes further. Legal design produces something that users engage with and understand. There is no ambiguity or misunderstanding about what data is or how it is used. This in turn reduces the risks that someone will complain.  

Now, we can’t promise you 16,000 views of your privacy notice, what we can promise though, is a privacy notice that you are proud to share. A privacy notice that becomes a living and breathing document in your organisation. One that sits at the heart of your promise about data. In the interest of transparency, we will issue a warning; once you experience legal design with one document, there will be no turning back.   

Interested in making your policy documents more engaging and understandable?
Drop us a line.
Get in touch