The EDPB has issued draft guidelines on data protection by design. These guidelines can help you comply with the principle of transparency and the data protection by design and by default obligation under the GDPR.
The guidelines refer briefly to privacy policies. Here are some of the EDPB’s suggestions to make them better understood:
- avoid chunks of text: shun lengthy bulks of information that your average customer finds tricky to penetrate and understand
- plain English: write in clear and concise language so it is easy for your customers understand how their personal data is processed
- layering: give information in a multi-layered manner with the most important points highlighted
- menus and links: use drop-down menus and links to other pages to further explain the concepts in your policies
- multi-channel: consider using tech such as video clips to explain the most important points
Of course, doing the above is all well and good but your customers also need to know where to find this information. To this end, the guidelines suggest making your policies ‘available and visible on all internal web-pages … so that the data subject is always only one click away from accessing the information’. (This is typically done by having a link to policies at the bottom of a webpage).
The guidelines also refer to ‘best practices and standards of universal design’ so that your policies are ‘accessible to all’.
In effect, this means your policies should be designed so that they can be read and understood by as many people as possible, such as those with: impaired vision; motor difficulties; cognitive impairments or learning disabilities; or deafness or impaired hearing (ie, if you include video clips). If you already follow the Web Content Accessibility Guidelines (known as WCAG 2.1), as many public sector organisations do, then you are likely to be compliant. (In any event, don’t forget that under the Equality Act 2010 businesses have a duty to make reasonable adjustments for people with disabilities when they’re needed, such as by providing the information they need in another, more accessible format.)
Finally, the guidelines make it clear that ‘necessary information must also be provided in the right context, at the appropriate time’. Yes, you need to put a link to your privacy policies on each of your web-pages but, alas, this isn’t always a get-out-of-jail-free card. You also need to make sure that information on customers’ personal data is set out at key stages in the customer journey by, as the guidelines suggest, using ‘informational snippets or pop-ups’ at the right time and in the right way.
So, why does this all matter?
In the past data protection by design and by default was good practice. Now it is an obligation under the GDPR.
Put simply, it has moved from a (non-legally binding) nice-to-have to a (legally binding) must-have.
Of course—and this should come as no surprise—obligations come with penalties. The ICO, in its current Regulatory Action Policy, says that, ‘it is more likely that a penalty will be imposed where … there has been a failure to apply reasonable measures (including relating to privacy by design)’. Penalties for failure to implement data protection by design and by default are significant: 2% of the total worldwide annual turnover of the business’ preceding financial year or €10 million (whichever is the higher).
That’s the bad news. The good news is that there are a few simple changes that you can implement to make your policies work better and be much more effective. In the next article in this series on privacy policies we’ll set out how.
If you want to give feedback on these guidelines, which were issued on 20 November, you can do so until 16 January 2020 (details are here).