Reviewing and updating your privacy notices

Transparency is one of the key principles for the lawful processing of personal information worldwide. If you collect and use people’s personal information, you have most probably published a privacy notice that lets people know how you handle their personal information.

However, privacy notices are not once off documents that you draft and put away in the back alleys of your website. They are living documents and must be reviewed and updated regularly, considering the personal information you are currently collecting and how you use it, legal requirements and standard practice. As we start rounding off the year, if you have not updated your privacy notice this year, we suggest you do so and we provide you with some guidelines on how to go about updating your privacy notice.

Providing an up to date and easy to understand privacy notice is not only necessary to comply with legal requirements, but is also good business practice.

Here are some tips for updating your privacy notice.

Ensure your privacy notice is a true reflection of your processing activities

To meet transparency requirements, your privacy notice must be an accurate, up to date and true reflection of the personal information that you collect and what you do with it. Therefore, when reviewing your privacy notice, the first step is to check if you have made any changes to the types of personal information you collect and what you do with that personal information since the last time you updated your privacy notice. Then note and incorporate those changes into your privacy notice.

Check for changes to the law

To ensure compliance with applicable laws, review your data protection and privacy legal framework and check for changes in laws, guidelines and decisions that may impact on the contents of your privacy notice.

Review the language you use

The most widespread problem with privacy notices is the use of complex language and/or legal jargon (also known as “legalese“). It is not a secret that legalese is beyond the average reader’s understanding and can therefore frustrate anyone trying to read a privacy notice. Some privacy notices also just repeat the wording from data protection laws, which can result in a dry and cluttered privacy notice.

To make your privacy notice less complex and easier to understand, we suggest that you –

• use plain and understandable language (e.g., use clear everyday words) and make the notice more conversational;
• avoid using legalese or repeating the wording from data protection laws;
• if you have to use complex words, elaborate on complicated terms by using explanations and examples that are specific to your business; and
• use icons, diagrams and/or short videos to simplify your privacy notice for your readers.

Keep it short and simple

Long privacy notices can be an information overload for readers. They can also be confusing and overwhelming, and result in you losing your reader’s attention. We recommend that you reconsider the level of detail in your privacy notice and reduce unnecessary words and repetition.

We also suggest that you reconsider how your privacy notice is presented and –

• divide the information into sections and use appropriate headings;
• layer sections of information provided on websites by making use of drop-down functionalities and dashboards; and
• insert links to related policies, laws or guidelines when necessary to avoid cluttering your notice.

Split your privacy notice

We also suggest that you consider having separate privacy notices for different audiences – privacy notices that deal with multiple services, products and processing activities are notorious for being long and difficult to understand. In addition, consider having just in time notices by giving your customers or users short bite sized information on your processing activities when they need it, such as before they make a decision. You can do this by including text in appropriate places on your website, using pop-ups and having short explanations with links to more detailed documents.

Test your privacy notice

Even after doing all of the above, your privacy notice may still not be fit for purpose. If you are unsure, test your privacy notice on a small group of your target audience, then update it to address their feedback before you finalise and publish it.

Conduct regular reviews

Last but not least, remember to diarise to review your privacy notice regularly, at least once a year.

Although not an easy task, getting your privacy notice clear, concise and up to date will not only help you comply with legal requirements and avoid incurring heavy fines, but it will also ensure that your readers are left with a sense of confidence in knowing how you will collect and use their personal information.

Read – The protection of privacy and personal information. How much personal information will be enough?