In December 2017, Article 29 Working Party ("WP29") adopted a guideline on consent and the obligation of transparency, which is currently open for comments until 23 January 2018. In line with this, in the UK the Information Commissioner's Office (ICO) has published a Children and the General Data Protection Regulation (GDPR) guidance, which is also open for consultation; the deadline for this is 28 February 2018.

How to update privacy notices to ensure compliance has been widely discussed over the last six months, as organisations are finding it challenging to include all the information that will be mandatory under GDPR. The WP29 guideline clarifies the meanings of being "concise, transparent, intelligible and easily accessible", and using a "clear and plain language", as the ICO did in its guidance on " privacy notices, transparency and control".

What does this mean in practice?

It means that if you are a customer who would like to know what a company does with your personal data, you should be able to find the privacy notice on the company's app or website and quickly find information about how the company manages your data.

The privacy notice should include all the information the customer is expecting to see and, more importantly, they will understand what they are reading.

Hence, it means that when you are considering how to draft a privacy notice, you really need to put yourself in your customers' shoes and ask yourself whether they can easily find the privacy notice and if they would understand what the document says.

What requirement is generally missed by many organisations?

What we are commonly seeing is a lack of clarity. Privacy notices are not yet intelligible enough. Under GDPR, organisations will be obliged to make sure that individuals are properly informed, which doesn't just mean including all mandatory content only. In addition, to fully comply with the accountability principle, you may need to be able to demonstrate that you have monitored the number of clicks on a privacy notice and consider informing users by other means as well if necessary.

This is the most important challenge and it will result in a positive change of culture in data protection. I have been drafting privacy notices for over ten years in different jurisdictions, and have talked to clients about being transparent and using plain language. Sometimes clients express concerns with proposed wording on the basis that it did not have a "legal-serious" look. However, those who decided to incorporate a more dynamic and easy to understand privacy notice (which used to include a warning for children where appropriate) ended up being copied by others. However, although the wording was easier to understand, statistics showed that few users accessed the privacy notice in the first place. This is why more needs to be done to make it easy for customers to access them.

The fact that the information needs to be layered, accompanied by symbols, and more interactive is a repeated request which has been backed by the ICO and WP29 in their respective guidelines. If you inform children, then the information needs to be adapted to their level of understanding. So, the implementation of video notices is becoming a must to ensure compliance.

A video notice for children might consist of a cartoon that pops up on a screen and talks to a child, saying something like: "Hi there! Before registering here and giving me your name, let me tell you what I will do with your personal data."

It could be accompanied by a game where the child is able to respond to a short quiz that would confirm whether they understood it. If it is an adult focused website, this could adopt a form of a "Ted-style" friendly and concise talk, and incorporate drawings, icons, and so on. We produced a sample to show how we can help with this that can be seen here.

How do I complete this task?

In conclusion, we recommend you consider following these steps:

  • Understand your data processing activities. This includes having knowledge on what personal data you use, the reasons why you use it, who provides you with the data, who you share the data with and in what context, and the legal basis to do so (amongst other things).
  • Check the information that is mandatory to provide under GDPR, and what is applicable to your businesses. Both WP29 and the ICO guidance on transparency include a table listing the content you need to put in place, depending on whether you collect the personal data directly from the data subject or from a third party.
  • Draft the first version of your GDPR privacy notice. Then work on making it more friendly, easy to understand, and interactive. Include symbols and other mechanisms to navigate through each section.
  • Ask for feedback. Check it with marketing experts and with other individuals and consider their views.
  • Identify the information that may be more relevant, and consider using layered and just-in-time notices where you know that it is most likely that individuals concerned will pay attention to it, and consider converting them in video notices.
  • Review them on a regular basis, to ensure that the information provided reflects the real processing activities you are carrying out. For example, if you decide to reuse some data for research purposes, you will need to inform customers about this additional purpose in the appropriate section of the privacy notice and explain the legal basis you are relying on.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.