Privacy notices
2017
Guide 7The General Data Protection Reform
www.communicatorcorp.com 2
Share this guide
www.communicatorcorp.com 2
The GDPR (General Data Protection Regulation) is
a new data protection regulation, bringing greater
protection for consumers and giving them more
control over how their personal information is
collected, stored, shared and used.
To ensure organisations comply with the regulations,
the reforms will bring an easier complaints
process and huge fines, backed by stronger ICO
enforcement.
There are a number of elements which form the
changes and there is a lot for Marketers to take on
board. With that in mind, we’ve aimed to summarise
the information you need to know in a series of
specific guides & blog posts.
As part of their GDPR - readiness campaign, the
ICO have just released a new code of practice on
communicating privacy information to individuals.
The code is more than a list of what organisations
need to do; it also gives advice and guidelines. We’d
advise you read it from cover to cover! But for now,
here is an easy introduction…
What is privacy information?
Privacy information isn’t just that document
mentioned at the bottom of a web page, or the
information behind the T&Cs links that most of us
never read. Privacy information is whatever sets
the expectations and explains how personal data is
used, protected and controlled. So this includes the
information on screen or visible before and during
data collection, as well as the more detailed privacy
notices you’ll have.
Why are things changing?
By now we know a lot about the value of using data
and the full potential of data insights to power our
marketing campaigns. You’ll have read up on big
data and other data-centric topics to support this
view, so you want to gather as much data as you can,
right? Because t he more data you have, the more
you can get out of your campaigns.
But what many companies fail to realise is that
collecting this valuable information is a privilege,
and it’s easier than you may think for this privilege
to be abused. Data breaches in the news are almost
a weekly event. The forthcoming GDPR has been
designed to reduce the risk to consumers; the
people who provide you with their valuable data,
enabling you to send your marketing.
In briefWhat’s happening?
Privacy Information
www.communicatorcorp.com 3
Share this guide
Privacy information 3What is privacy information?Why are things changing?
Fairness 4What the law says Fairness: key points Layered Privacy Information What should your privacy information show?
Transparency and Consent 7What the law saysTransparency and consent: key points
Reasonable Expectations 8What does it mean?
Sharing and Buying 10 information
Your Privacy Notice 11 Checklist
In this guide
www.communicatorcorp.com 4
Share this guide
FairnessWhat the law says
Fairness: key points
The law says that personal information should be processed fairly, where processing means obtaining,
using or disclosing information.
Personal information is not classed as being fairly processed unless the organisation processing the data
provides the individual with, or makes readily available, the following;
• The identity of the controller
• The purpose for which the data is intended to be processed
• The intention to transfer personal data
• The existence or absence of (where appropriate)…
3 An adequacy decision
3 Appropriate safeguards; or
3 Controllers compelling legitimate interests.
There are two main elements of fairness:
1. Information is being used in a way that people would reasonably expect
2. Ensuring people know how their information will be used
These two elements work hand in hand with each other. At the point of data collection you need ensure you
provide the following;
• The information necessary to set the correct expectations around the data collection, storage,
usage, sharing and destruction
• Con text and established convention, used to determine what is already expected
• Attention must be drawn to processing which wouldn’t be expected
www.communicatorcorp.com 5
Share this guide
• Clarification and detail concerning what is already understood and expected
• If there is any unexpected data use, the less likely something is to be
expected, the less likely that a linked privacy notice can be relied upon
to inform individuals
Layered Privacy Information
Your privacy notice should then be used to expand on that information, ensuring people know how their
information is used.
Okay, so what does this mean for you?
You need to be realistic about how interested people
are in the way you handle their personal data. Many
people will only be interested in what they’re signing
up to or purchasing and so on – they’re unlikely to
read a detailed privacy notice.
But you still need to provide the information!
That’s why a ‘layered notice’ is useful. The layered
approach allows you to provide the basic privacy
information up front, then have a more detailed
privacy notice elsewhere for those who want to know
more.
A simple notice with a “Learn More” link is an
example of a layered notice. It provides information
in a simple way initially, setting expectations, with a
link to find out more. Like this one…
Layered Privacy Notice
www.communicatorcorp.com 6
Share this guide
The ICO ha s just released new code of practice on
communicating privacy information. Their example
on a layered approach is a just-in-time notice, which
is a little more advanced but should be regarded as
the new best practice.
A just-in-time notice works by displaying relevant
information but just when it’s relevant. This prevents
information overload and helps achieve that balance
of information and simplicity.
What should your privacy information show?When you’re writing your privacy information it’s good practice to think like a consumer.
Start by asking yourself these questions;
Remember that the visible privacy information should
set the expectations and provide the consumer
with simple information. Your larger, more detailed
privacy notice should provide clarification and detail
concerning what’s already understood and expected
from the point of collection.
So it needs to be clear, accessible and informative.
Here’s an example…
1. Would the consumer know who is collecting information?
2. Would they understand why you are collecting their information?
3. Would they understand what it means to allow you to collect their information?
4. Would they be likely to object or complain?
www.communicatorcorp.com 7
Share this guide
If you are to carry out transparent processing, then…
In order to be fair to the consumer, you need to be transparent and allow an individual to consent to the
processing of their data.
Where an individual has a choice over how their data is processed, it’s important to allow them to exercise that
choice. This means that it must be freely given, specific and fully informed, and consent must also be revocable.
The layered approach allows you to be truly
transparent, which in turn will allow you to gain well -
informed valid consent from individuals.
If you’re relying on consent for processing, your
method of obtaining it should be clear and displayed
to the individuals at the point of data collection.
If you’re attempting to gain consent but are failing to
provide supporting information, then consumers are
unlikely to be fully informed and the consent cannot
be considered valid.
If you’ re processing information for numerous
purposes then you need to explain this. You need
to provide a clear and simple way for individuals to
agree to each type of processing.
Transparency and ConsentWhat the law says
Transparency and consent: key points
“It should be transparent what data is collected and used, for what
specific purposes, the existence and consequences of profiling, who
is doing this processing, for what time periods and who will receive
the data. The individual should be informed about Individuals should
be made aware of risks, rules and safeguards.”
• Consent should be given by a clear affirmative action establishing a freely given,
specific, informed and unambiguous indication of the individual’s agreement to
personal data relating to him or her being processed
• Consent should cover all processing activities carried out for the same purpose(s)
• When the processing has multiple purposes, consent should be granted for each
of those purposes
www.communicatorcorp.com 8
Share this guide
www.communicatorcorp.com 8
People may want to consent to their information
being used for one purpose but not for the other(s).
The best way to do this is to provide a list of how you
process information and allow people to say yes or
no to each method.
This may sound complicated, but clever design can
help give the required information in a simple format
as well as recording consent per level.
Compare the Market has a form with very few words
and no tick boxes in sight, and they still manage to
balance the information, expectations and simplicity
requirements with a simple design and mobile-
friendly icons. Take a look…
Compare The Market example
You can only use collected information in a way that
people would reasonably expect.
Because that rule is vague it’s up to you to identify
what isn’t clear about your data use and how you
explain what you do. The layered approach allows
us to show simple information snippets to set those
expectations correctly.
But first , you have to put yourself in the shoes of
someone using your website or sign - up process in
order to identify what may or may not be expected
, so that you can choose how much information to
display, where, when and how.
To put this in to context , here are two examples…
Reasonable Expectations What does it mean?
www.communicatorcorp.com 9
Share this guide
If you do use information in a way that is not expected, then you’ll need to inform the individual about what
you’re planning to do with their data. A common sense approach is a good starting point.
It’s not difficult to differentiate between what’s expected and what’s unexpected. The easiest way for you to
decide is by thinking as a consumer; what expectations are set during your data collection process?
Use a layered approach, making sure expectations are set up front, with any more detailed information easily
available in a linked, easy to navigate privacy notice.
• A person purchases
a pair of shoes from
an online store. Their
personal information is
only used to despatch
the goods, take payment
and for the company’s
own record keeping.
• The collection and
processing of this
information is expected
and fair, even if the
person has not been
given explicit and
detailed information
about it.
• Any reasonable
person requesting
such a service would
understand that they
cannot receive their
purchase unless this
level of processing
happens.
• A person purchases a pair of shoes from an online store.
• Their personal information is used to despatch the goods,
take payment and for the company’s own record keeping.
On top of this the company creates a profile, using contact,
browsing and purchase details to curate web and email
content. They also share this data with another company,
who provides online advertising services. The collection
and processing of this information to fulfil the sale is
expected and fair.
• The creation of the personal loyalty profile to tailor web
content and target emails may be expected. However,
passing the information on is, almost certainly, not expected.
Even if the intention to pass details on in this way was
mentioned in a privacy notice, because it’s not expected
it breaches ‘fair processing’ principles and wouldn’t
be allowed.
• Instead, the online store should have a notice advertising
the benefits of the loyalty program and curated content,
with the option to sign-up.
• They should also advertise their intention to share
information with another company, again, selling the benefits
and giving the purchaser the option to sign-up.
• With expectations set, links to the privacy notice which
explain in more detail how this works, can be made.
Expected Unexpected
www.communicatorcorp.com 10
Share this guide
There can sometimes be strong pressures to share
personal information with other organisations.
If you’re going to share the personal data you
collected with third parties then you need to ensure
you’re treating your consumers fairly.
It’s good practice to not only tell people you’re
going to share information with third parties but
also to gain their consent to do so. The consent
should be informed, so you need to ensure you’re
telling people;
• What the third party is going to do with
their information
• What effect this has on the individual
• How it will benefit the individual
Without giving this information the consumer can ’t
make an informed decision on whether they want
their information to be used in such a way. There
is also a lot of pressure within the email marketing
industry to send more emails. To do this, some
Marketers rely on buying or renting data lists.
When buying or renting a new list you must take
the following steps;
1. Due diligence – you must research the list!
You need;
• proof that the people on that list have
given consent to have their data passed
on within the last 6 months
• to see what expectations were set when
that data was collected
2. Unsubscribe processes – when a consumer
wants to opt-out, if the marketing list came
from a third-party vendor, all of the companies
in the ‘data chain’ must be informed.
So you need 3 processes in place ;
• A standard mailing list unsubscribe
• A Data Vendor to Marketer unsubscribe
• A Marketer to Data Vendor unsubscribe
3. Inform the individual – in your first
communication you should inform them why
they’re receiving the email. This can be a s
simple as saying “we have your information
because you said yes to company X giving
it to us”. This will avoid any complaints by
people who may have forgotten.
Buying or renting lists can get you into a lot of trouble
if you don’t do it right, so following these 3 steps is a
good way to help avoid any issues arising.
Sharing and buying information
www.communicatorcorp.com 11
Share this guide
To ensure your detailed privacy notice is up to scratch, here’s a check list to follow;
Your privacy notice checklist
Ideal components of a Privacy Notice Questions to ask yourself Included or needed?
Introductions
Clearly states who you are Does the notice give information
about your organisation?
Consider the language used - clear and
unambiguous language is needed
Does the language suit the people
who the notice is aimed at?
Data Collection
Describe what type of personal data your
organisation collects
Describe why you collect personal data
Describe what methods your organisation
uses to collect personal information
Do you collect and/or keep
information on forms in hard copy, on
computers, and/or on your website?
Indicate that the information is necessary
for the activities it’s used for (in your
marketing)
Can you assure consumers that
their data is collected only for the
purposes you’ve stated?
Use of Data
Generally describe how the organisation
will use the personal information collected
Will the data be used for anything
more than personal contact with the
individuals in question?
Disclosure
Describe under what circumstances the
information might be disclosed (if any)
Will the lists be used by third parties?
If so, how do you propose to
obtain consent and what additional
measures are needed to protect the
security of the information?
Provide examples or instances of where
the information provided will be used
Do third party services need access
to the information to perform their
duties? Could sharing the information
provide the opportunity for third
parties to promote products or
services to the people whose
information you are providing?
www.communicatorcorp.com 12
Share this guide
www.communicatorcorp.com 12
Ideal components of a Privacy Notice Questions to ask yourself Included or needed?
Use of Data in Marketing
Include an explanation of how data will be
used if you carry out direct marketing
How many hands will the information
pass through?
Have options for individuals to opt-in or
opt-out of your marketing campaigns
If applicable, explain how the organisation
deals with information in third party
contracts, and state whether names
are shared
Can you assure individuals that the
third parties referenced will maintain
comparable levels of protection?
Accuracy (integrity of the data)
Describe the steps taken to ensure in
formation is accurate, complete and
up to date
How often will you check with the
people in your database to be sure
the information is accurate?
Describe how an individual can correct
their personal information
Security
Show that reasonable steps have been
taken by the organisation to safeguard
personal information in the event of
misuse, loss, unauthorised access,
or disclosure
What security measures are in place
for both print and digital records?
Are any archived records, that
must be kept to comply with legal
requirements, separated from the
current database?
Access to information
Explain an individual’s right to his or her
own personal information
Indicate who has access to the information
given
Do only those with a legitimate need
for the information have access to it?
Describe when access might not be
granted (if any)
Organisation Contact
Identify who to contact (and how)
regarding the policy
In addition to who and how, what is
your timeline for replies to inquiries?
Explain how complaints can be made and
to whom
www.communicatorcorp.com 13
Share this guide
What’s coming and what it means for you
2017
Guide 1The General Data Protection Reform
Can I have your number?Data collection & consent
2017
Guide 2The General Data Protection Reform
Ticking all the boxes?Processing & storing data
2017
Guide 3The General Data Protection Reform
Getting your ducks in a rowWhat campaigns can you send?
2017
Guide 4The General Data Protection Reform
Say what?!
2017
Guide 5
Translating the changes to your customers
2017
Is it me you’re looking for?
Guide 6The General Data Protection Reform
The right to be forgotten
Privacy notices
2017
Guide 7The General Data Protection Reform
Legitimate Interests
2017
Guide 8The General Data Protection Reform
Third Party Data in Email Marketing
2017
Guide 9The General Data Protection Reform
Our Privacy & Compliance series
Any questions?For more help and advice like this and to access our library of free resources,
visit the Communicator blog and resources sections at www.communicatorcorp.com
@CommCorp
+44 (0) 345 300 2337
Experts in Email Performance