Everyone laughed when Chris Grayling had to cancel a contract made with the shipping company who turned out not to actually own any ships, nor have an agreement with the port authority to sail there.  We laughed even harder when it was also revealed that the company in question Seaborne Freight had copied and pasted its website T&Cs from a pizza takeaway company.

Terms and conditions are often overlooked but this is a good illustration of why we should be more careful with information which we put on our websites for the world to see.

On checking a privacy notice for a client recently, I found that the notice on her web-site actually included the drafting notes supplied by the provider with the template, including the following statement: “This document might not be suitable for you if the ways in which you use personal information are complex or unusual.  In any event, there are many aspects to data protection compliance. Publishing a privacy policy or statement containing the relevant information is only one aspect – albeit an important aspect – of compliance”.  The rest of the notice was totally meaningless as it listed contact details as [specify contact details] and so on.

Sadly this shows that the materials provided have not even been read, let alone understood. We can only conclude that in this case, other important aspects of compliance have probably also been missed.

As data protection consultants, we often read privacy notices on companies websites before visiting to get an idea of the personal data processing which goes on in the company so that we can hit the ground running.  Sometimes, it doesn’t quite work that way; instead, the visit reveals quite different uses from those the privacy notices described.

A company’s website is the public face of an organisation to many of its clients and potential client. It is an area to scrutinise to measure a company’s attitude to compliance. Getting your privacy notices right should be your top priority.

So if you are going to create a privacy notice, do it well.  Take the time to read templates.  Privacy notices don’t have to be difficult; remember, the intended audience is your clients, so if you can’t understand it your potential clients probably won’t either.  And two of the main pieces of guidance in the ICO’s code of practice is that you use “clear, straightforward language” and “adopt a style that your audience will understand”.

Tips for using templates:

  • Before purchasing a template, check that the provider has suitable data protection experience. Also, ask whether they will review your finished Privacy Notice and so spot any glaring errors.
  • Do read through the template before using it.
  • Look out for wording in square brackets – it needs to be customised. You should provide information relevant to your own organisation and situation and then remove the brackets.
  • Where several options are listed separated by slashes (/), you are meant to select the relevant options from the list.
  • Avoid statements such as ‘we may transfer your data outside the EEA…’ without explaining the circumstances under which such processing would happen. Privacy notices are meant to inform the public of what you actually do with their data, not list the options of what might happen.
  • When specifying the legitimate basis for the processing you carry out, it is a good idea to seek professional advice unless it is obvious to you. If you are unsure what is meant by ‘legitimate basis’ you should definitely seek advice.

Joy Higham, Data Protection Practitioner