Is your Privacy Notice worth the paper it’s written on ?? *
(* metaphorically speaking, of course!)
I never cease to be amazed at how many incorrect, poorly worded, illegal and out of date Privacy Notices I see on company websites. Because I’m a bit of a geek – if I’m thinking of buying from, or using the services of, a company and I get all the other good vibes and attractive buying signals from their website – I always spare a few minutes to look at their Privacy Notice. This is where, sometimes, the sale is lost, or I choose to vote with my ‘mouse clicking finger’ and go elsewhere. To avoid this, get in touch with us now for friendly help.
If a company can’t get the wording right on their Privacy Notice, if they can’t clearly and easily display what they’re going to do with my data and/or they make wholly inaccurate statements on their website – do I really want to buy from them or use them? After all, if they can’t get the basics right, what might happen if there’s a problem with my order, or the ‘thing’ or ‘service’ I’ve bought from them??!!
What is a Privacy Notice?
Privacy Notices should tell data subjects (staff, customers, users, buyers etc.) a number of basic sets of information as outlined by GDPR; – What data is collected? Why is it collected? How long is it kept? Who will it be shared with? – There are many more that can be easily checked via Article 13 of the GDPR.
These basic sets of information should be presented in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” so says the GDPR and the I.C.O. – How many Privacy Notices run to 4 or 5 pages of “legalistic” gobbledygook that seem presented in a format designed to confuse or bamboozle the reader?
Real ‘Case Studies’
I won’t name the real companies concerned, but will now give 2 genuine examples of companies that have been poorly advised by their web design agency in the preparation and publication of their Privacy Notices
1) Virtual Personal Assistant
A small, but rapidly growing, company providing outsourced ‘virtual’ personal assistant services to companies needing ad-hoc assistance with book keeping, filing, e-mail management, diary management etc. had a lovely website created by their web design provider. This included an alleged “GDPR compliant” Privacy Notice. Having read it and highlighted at least 18 items of concern, I found a sentence that read:
“We will take and return £0.99 from your credit/debit card as a credit check against the purchase or your mobile handset”
The Privacy Notice had been ‘stolen’ from a mobile phone company and pasted directly into the website. Unfortunately (and unbelievably) the owner of the business had not read their own Privacy Notice – believing that their web designer had done things correctly – and, of course, they do not even sell mobile handsets.
2) Architect
A mid-sized architect, well known within Scotland and the North of England with a major chain of companies listed as their main client had a new website created by their web design provider following a relocation to a new location and the opportunity to have a brand refresh. This included an alleged “GDPR compliant” Privacy Notice. Having read it and highlighted at least 23 items of concern, I found a sentence that read:
“The significance and possible consequence of this automated decision making are that you may receive an estimate that does not completely cover the requirements of you website”
The Privacy Notice had simply been pasted directly from the web designers own website. Unfortunately the owner of the business had not read their own Privacy Notice – believing their web designer had done it correctly and because it was too long-winded and complicated! There were many other errors that meant that the Privacy Notices were incorrect, not fit for purpose and, in some cases, illegal. Perhaps that’s another article, another time?
Conclusion:
In many cases, web design companies are not GDPR specialists – they will copy and paste what seems to be a good Privacy Notice straight into their customer’s website. Equally, many companies who buy websites are not GDPR specialists – they will simply believe their web design company and will not even take the time to fully read the notice. Fundamentally, there is nothing wrong with buying a generic template to give a framework for use – but it must be carefully edited to reflect the business that uses it and the needs and rights of its customers, buyers, users, staff etc. – After all, it represents YOUR business and the way you handle personal data. It is your formal commitment to your data subjects (customers, buyers, staff).
If any of the above has made you re-visit and look at your own Privacy Notice or you want guidance and/or advice as to whether it is fit for purpose, don’t hesitate to get in touch with THE Specialists in Data Protection; Computer Law Training.