There are quite a number of factors to the GDPR (General Data Protection Regulation) that from 25 May 2018 will change how ALL organisations and companies communicate with users/clients/guests and process and store their personal information.
One fundamental factor we need to look at right now is our Privacy Notices – how organisations explain, right at the point of data collection, what users can expect will happen to their data now and in the future. In this post, we’ll try to dig into the topic of Privacy Notices, and present some best practice examples that “appear” to comply with the GDPR.
It’s this absurdity that the EU GDPR is attempting to tackle – privacy policies may still be long and unwieldy documents, but users must be made aware of the salient facts in an easy-to-read notice at the point of consent or data collection.
48% of organisations won’t meet the deadline for GDPR compliance.
DMA, GDPR survey, May 2017
The new EU GDPR demands clarity through a specific privacy notice
This is what the GDPR has to say about the information companies provide about personal data processing – it must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
As the ICO puts it when discussing the GDPR, “being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”
What’s more, the information you should provide is changing, too. The lawful basis for your data processing, how long you’ll keep the data for, the user’s right to complain – these are all pointed to in the GDPR.
The following questions should be considered when writing a privacy notice:
- What information is being collected?Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Note, for the full detail on what information should be provided to the data subjects at point of data collection, readers should check out article 13 of the GDPR, specifically paragraphs 1 and 2, summarised by the ICO here.
So what should your new privacy notice look like?
All this seems pretty straightforward so far, but what then does a privacy notice actually look like?
It’s not as lengthy as the questions above may suggest, in fact it chiefly tackles what will be done with personal data, by whom, and who it will be shared with.
Here’s an example, again from the excellent ICO guidance:
As you can see, the privacy notice is part of obtaining consent from the user (or telling them about legitimate interests, for example), and is presented at the point of data collection.
When planning privacy notices, you should be aware that more information may be needed than shown in the example above. Such information depends on what the user reasonably expects to happen to their data, and whether a lack of honesty/fairness might be levelled if pertinent information is not provided (e.g. use of personal data for profiling).
You can see a longer example of a privacy notice in a blog post from Scott Sammons, privacy expert – read it here.
Back to the GDPR.
What does the best practice for your new privacy notice look like?
This layering is a good way of saving space in a mobile UI.
Just-in-time privacy notices
Another superb prototype from the ICO, also useful in mobile UIs particularly, is the just-in-time privacy notice.
As you can see in the GIF below, when the user engages with a data field, relevant information is displayed at that time with a pop-up style hint.
Who is adopting some of these practices?
As with many companies out there, Microsoft is getting some things right and others arguably not so. When I investigated signing up for an Outlook email account, I was pleased to see that the form I had to fill in employed the just-in-time technique noted above. You can see it in the screenshot below.
However, Microsoft doesn’t include a privacy notice at the end of the form when I am ready to sign up. Arguably there should be some information at this level about what data of mine will be used and how. I am also required to opt-out of marketing, which will be a no-no under the GDPR.
USwitch has a very simple UX for comparing energy prices, but it remembers to include some just-in-time information. See the screenshots below. Note the use of the word ‘optional’ in the phone number field, too.
However, when I went further through the process of applying for quotes, I could not see an obvious privacy notice. It may be argued that all the information I input (energy consumption etc.) is necessary to provide a quote, but I would still have been reassured with another notice about what happens to my data.
You DO need to remember however….
There are likely better examples out there with whiter-than-white compliance. But remember, it’s horses for courses.
As the ICO points out, consumer expectations are key. You have to “Actively give privacy information if:
- you are collecting sensitive information;
- the intended use of the information is likely to be unexpected or objectionable;
- providing personal information, or failing to do so, will have a significant effect on the individual; or
- the information will be shared with another organisation in a way that individuals would not expect.”
Ridding the internet of legalese and promoting transparency is not a new concept
As an addendum, it’s worth noting that the challenge of keeping the user informed is one that many academics and developers have worked on before.
One nice example is the open source code available from the Application Developers Alliance.
It partnered with Intuit in creating privacy notices for apps (see below) that would comply with the Mobile App Privacy Voluntary Code in the US.
Another example of previous attempts to bring some saliency to the privacy notice is the use of iconography. There are no standard icons used to denote various levels of privacy or data use, but their appeal is obvious – they are language neutral.
As GDPR applies to users based across the EC, we cannot assume all users understand one of the major languages of the region.
New privacy icons inspired by Creative Commons
Aza Raskin of Mozilla has developed privacy icons inspired by Creative Commons.
There remains difficulty in the issue of jurisdiction.
Image via CREATe – The use of privacy icons and standard contract terms to build consumer trust