Why you think of privacy notices under Data Protection, where does your mind go?
Long-winded, legalistic, complicated ‘legal documents’… well I wouldn’t blame you if your mind went there. I see a lot of them during the week and unfortunately the trend is still to overcomplicate them, over legalise them and under utilise them.
So what is the point of a privacy notice? Issuing a ‘legal notice’ to a data subject as required under the law? Or, is it instead just a method of transparency?
As you can imagine, I choose the latter!
The ‘right of transparency’ and corresponding transparency principle under GDPR is not about ‘issuing a legal notice’. It is about ensuring a data subject is duly informed about how and why their data is being used. It’s about being open an honest with the individual about how your services work with them. Literally honoring their right to be informed.
So is issuing a stuffy, long winded, and removed ‘online only’ notice really the only way to be transparent with individuals?
What about molding it into your standard conversations with your customers/citizens/staff? Make it part of your processes that someone is told how their service will work and who you’ll be working with to deliver those services.
For example, if I am talking to someone about how their car service is going to work, what we need from them in order to process the service and ensure they have what they need, I am quite literally explaining to someone what I need from them and why. With some minor tweaks I can verbally add in some more detail that makes sense to the customer and flows with the conversation.
With then yes the written notice to back it up (ensuring that is written in clear, plain language and easy to understand for the audience you are aiming it at!).
- Keep notices sharp and to the point, avoid waffle and legal speak
- Incorporate them into what you are doing with people
- Online notices help but they aren’t the be all and end all – look at how you communicate with your people
- Remember, they are not a legal document, they are about genuinely informing people of what you’re up to
- Check out the ICO’s guidance on privacy notices
This is my standard approach as a DPO! Training for staff that transparency isn’t some ‘thing’ over there you can point to. It’s a behaviour. It should be part of your processes when we ‘onboard someone’ or similar.
So ask yourself, are your notices genuinely ‘transparent’, or are they a box ticking formal notice that are only really transparent to a lawyer?
Get in touch if we can be of assistance to you or your staff in getting transparency right.