One of the most annoying things about interactions with organisations is the endless refrain from customer services is that you must do something for ‘Data Protection reasons’ or ‘for Data Protection’. You see it from company accounts on Twitter, from call centres, even in person. Tweak the script slightly, and suddenly it’s fine – ‘for security reasons’ or ‘to make sure I’m speaking to the right person’ are more helpful and more specific.
It’s this clunky, inelegant approach to Data Protection (alongside habitually uncritical tabloid reporting when organisations use DP as an excuse) that gives it such a bad reputation, and leads to the problem reported by the BBC today. Nobody knows what organisations are doing because the information available is turgid, legalistic and misleading.
With this in mind, permit me to provide some advice on how to write / not write privacy policies
- If your privacy policy mentions the phrases ‘Data Protection Act’ or “Data Subject’, you’re doing it wrong. The person doesn’t need to be told what the eight principles are or what the IG jargon is. They don’t care, nor should they. If they are reading the text, it’s because you’ve told them to or because they want to know what you’re up to.
- If it says how important DP or privacy is to your organisation, you’re wasting the reader’s time – this is something you demonstrate by actions, not assertions
- If it contains any jargon or technical language, remove it (with apologies to George Orwell)
- If it is written in a legal style, especially in the style of a contract, it’s rubbish. Delete it and start again.
- If it is a one-size-fits-all that covers all users of your services or website, it’s unfair. Again, you are wasting the reader’s time telling them about something that may never affect them. If you are telling me about exceptional or unlikely uses of my data, you’re doing it wrong. If you are telling me about things that just won’t happen because I am not that sort of client or customer, you’re doing it wrong. If it might happen but might not, tell me when it does. Fair processing is a processing, not a hurdle you clear once and never again.
- If you tell yourself that something is so complicated that you cannot explain it to your customers or clients, you either don’t understand it yourself, or in fact you just don’t want to explain it because people won’t like it. Either way, you’re doing it wrong.
A privacy policy / privacy notice / fair processing statement (call it what you like) has a single, real purpose. It might seem like you’re writing it to tick a legal box, but if that’s what you think you’re doing, you’re doing it wrong. The purpose of the fair processing statement is to tell the client or customer in simple, everyday language how their data will be used. Anything that does not assist in that specific job is irrelevant, and should be cut out. I don’t care about your security or the fact that you have ISO 10069. I don’t care that you use biodegradable laptops. You can shove your corporate social responsibility aspirations up your carbon footprint: tell me what you’re doing with my data.
Lawyers get a lot of stick for privacy policies (and one or two absolutely deserve it), but the occupation of the person who writes the words is irrelevant – all that matters is their intent. I’ve read many tedious legalistic fair processing statements that were written by Data Protection professionals, while I have read T&Cs written by lawyers that are a model of economy and clarity. Many of the privacy policies I see could be cut to at least 50% of their length without losing any of their meaning. This cannot be tolerated.
Organisations wrap up what they plan to do in waffling, passive-voice, corporate double-speaking Mother-Knows-Best bullshit. This is who we are. When you give us your data, this is what we plan to do with it. The fair processing statement should be short, straightforward and surprising. It should focus on those things that the punter does not expect. We are going to sell your data. We are going to use a data pool to exchange your data with other people who can probably squeeze a few pennies out of you now we’re done with you. We are going to work out what to sell to you based on what kind of person we think you are, based on data we bought from Experian and some Bulgarians we met on Fiverrr. We are going to work out whether it’s worth having you as a customer.
The limits of what you can do with personal data – unless you have an exemption – is what you can explain. In a commercial, charitable or voluntary sector environment, you won’t have an exemption most of the time. Boil the purpose down to its bare essentials and be blunt. If you can’t explain it, you can’t do it.