A 3 layer compliance model you can use to check that you're ready for the GDPR Countdown
When it comes to European data protection, things are changing faster than ever! The countdown has officially started for the GDPR (General Data Protection Regulation), with this coming into force on 25 May 2018. This will bring in greater protection for consumers, giving them more control over how their personal information is collected, stored, shared and used.
In the UK, the ICO will be stronger in their enforcement of the GDPR, meaning marketers will need to ensure they comply with the laws before the deadline date. What many companies fail to realise is that collecting consumer information for email marketing campaigns in particular is valuable, however it’s easy for this information to be neglected. One area where companies can, and are, abusing the value of data is within their deployment of privacy information and notices to individuals. Many companies use their privacy notice as a device to hide or mask their true intentions of how they’ll use an individual’s data. However, with the new GDPR, this must change.
Companies will now no longer be able to hide information in their privacy notices or use any technical or ambiguous wording. The GDPR requires complete transparency and fairness, so that the individual knows exactly how their data will be used.
How to make your Privacy Notice the best in show
If you look at your privacy notice, are you completely transparent? Do you tell the individual exactly what you’ll do with their data? Would they be surprised to learn that you use their data in the way that you do?
By now, you’re probably realising that you need to revisit it and make a few changes… or even start from scratch!
The GDPR states all processing of information must be transparent and in order to carry out transparent processing “it should be transparent what data is collected and used” and “for what specific purposes” the data is collected for. This means you must think about your privacy notice as a whole, so not just your policy but the information you provide at the point of data collection. The easiest way to do this is to use a layered privacy notice.
This type of privacy notice usually contains three layers.
Layer 1 – The short notice. Includes the minimum information, can explain the purpose of processing data, the identity of the data controller and a link to more privacy information. The example below shows a simple statement that sets the individual’s expectations when signing up to an email newsletter.
Layer 2 – The condensed notice. Explains the basic principles that are usually less than one page or segmented into small segments. This should remain simple, but give more detail than layer 1. You can see in the example below that the information provided is enough to give an individual greater insight into how their data will be used however, more information is available.
Layer 3 – The full notice. Where you give all information needed and should cover every way in which you process data. Layer 3 should also include links to the full policy notice like the example below.
The layered approach increases the public’s understanding of privacy and data protection without overwhelming them with pages of ambiguous information. A huge part of data protection is fairness and transparency so in order to be fair and transparent to the public, you need to provide all the information they need in an easy and understandable way, which is why the layered approach is fast becoming the preferred method of conveying that information.
Valid Consent
Another reason to get your privacy notice in shape is to ensure your consent for processing is valid. In order to process information you need consent and the GDPR states that consent is
“The individuals freely given, specific, informed and unambiguous indication, either by a statement or by a clear affirmative action, signifying their agreement to their personal data being processed”
The easiest way to get an “informed and unambiguous indication” from the individual is to make your privacy notice as clear and transparent as possible. This leaves the individual knowing exactly what to expect which in turn means you’re protected against any complaints that may be made regarding your processing of information.
Understanding the GDPR
The last thing to consider before making changes to your notice is to understand how you exactly collect, use and store data. How can you be completely transparent in your privacy notice if you don’t know what you do with the data you collect? To get a clear understanding of the changes, you need to do some investigating on how the GDPR will work and how it will affect your company.
Here are some questions to ask yourself:
- Where do you collect your customer data?
- What data do you collect from your customers?
- How much of that data do you use?
- Do your customers know that you collect and use the data in the way you do?
- When do you delete that data?
- Who do you share data with?
- Does your privacy notice accurately reflect how you use data?
Your privacy notice is a way of communicating privacy information to individuals so you can protect yourself against any complaints that are made, or completely remove the need to complain by making it easy to understand. With this in mind, are you ready for the changes and is your privacy notice up to scratch?
Thanks to Ash Wood for sharing her advice and opinions in this post. Ashleigh Wood is the Information Governance Officer within the compliance team at
Communicator, focusing on internal and client information governance. You can follow her on
Twitter