Privacy dos and don'ts: Privacy policies and the right to transparency
For an individual to use their privacy rights, they have to be aware that the organization is processing their data and how they are doing it. This right of transparency extends to the individual regardless of why the organization holds the data. It is essential that how, why and who processes the data is made clear to the individual.
Privacy policies vs. privacy notices
Though often called privacy policies on the internet, this information transparency is often provided through a privacy notice (a policy is technically an internal document of management intention). It's often a written document that individuals should read before collecting the data.
However, this is often a real barrier for entry, and organizations often forget that the purpose is to try and be transparent to the individual. Often these documents are lengthy, legally termed, hidden behind a link and mistaken for contractual terms and conditions — and, rather than helping with transparent processing, end up being a barrier to the individual's understanding of how the data is processed.
Get your free course catalog
Be transparent, but don't overwhelm
Companies often confuse being transparent with writing a single large document to try and cover all of their processing, which mistakenly becomes a barrier to transparency rather than a benefit. There is no problem with having an extensive data protection FAQ, but this should be a secondary source after giving tailored information specific to the processing concerned.
The goal is transparency, and single large documents written in legal terminology will be a high "barrier for entry" for most individuals. It's often better to give information throughout the processing and user experience, drip-fed, little and often and remember that different forms of processing and different collection methods may well require different information.
Processing may be on different terms depending on the process (recruitment of staff, vs. employment of staff vs. providing a different product) or on the collection method (a paper form may collect different data than via a mobile phone or an internet website).
Do's and Don'ts of data privacy notices
Here's practical advice on some "Dos" and "Don'ts" regarding transparency when collecting personal data.
Dos
- Remember, the point is to be transparent
- Make them easily accessible, free of charge and easy to find
- Use a layered approach with different levels of information, from specific to general
- Have smaller drip-fed information on the processing
- Use different information for different processes, collection methods, products and services
- Get them to proofread by your target audience (I use a 12-year-old!)
- Use different media, consider signage, videos, pop-ups, balloons on forms etc.
- Be succinct and to the point
- Give them before data is collected
- Use visualizations, icons and links
- Show/hide detailed text by clicking on the section heading, or provide a clickable index
- If you got it from someone else, consider how the individual knows you have it
Don't
- Get transparency information (notice) confused with a policy
- Treat them like an agreement of contract
- Ask the individual to "agree" or "consent" to the notice
- Get them written by legal professionals
- Make them long
- Confuse them with a legal basis for processing
- Make a single large document
- Make them hard to read or a wall of text
- Make them anything other but simple information
We can all do better and innovate in communicating with the individuals we serve. Rather than creating a pile of unattractive legal jargon that no one will engage with, we can utilize marketing and communication specialists to create communications that create positive user experiences and enhance your brand.
Want to learn more about privacy? Check out my privacy courses on Infosec Skills.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- Privacy dos and don'ts: Privacy policies and the right to transparency
- Is AI cybersecurity in your policies?
- The top security architect interview questions you need to know
- Federal privacy and cybersecurity enforcement — an overview
- U.S. privacy and cybersecurity laws — an overview
- Common misperceptions about PCI DSS: Let’s dispel a few myths
- How PCI DSS acts as an (informal) insurance policy
- Keeping your team fresh: How to prevent employee burnout
- How foundations of U.S. law apply to information security
- Data protection Pandora's Box: Get privacy right the first time, or else
- Starr McFarland talks privacy: 5 things to know about the new, online IAPP CIPT learning path
- Data protection vs. data privacy: What’s the difference?
- NIST 800-171: 6 things you need to know about this new learning path
- Working as a data privacy consultant: Cleaning up other people’s mess
- 6 ways that U.S. and EU data privacy laws differ
- Navigating local data privacy standards in a global world
- Building your FedRAMP certification and compliance team
- SOC 3 compliance: Everything your organization needs to know
- SOC 2 compliance: Everything your organization needs to know
- SOC 1 compliance: Everything your organization needs to know
- Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3
- How to comply with FCPA regulation – 5 Tips
- ISO 27001 framework: What it is and how to comply
- Why data classification is important for security
- Threat Modeling 101: Getting started with application security threat modeling [2021 update]
- VLAN network segmentation and security- chapter five [updated 2021]
- CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance
- IT auditing and controls – planning the IT audit [updated 2021]
- Finding security defects early in the SDLC with STRIDE threat modeling [updated 2021]
- Cyber threat analysis [updated 2021]
- Rapid threat model prototyping: Introduction and overview
- Commercial off-the-shelf IoT system solutions: A risk assessment
- A school district's guide for Education Law §2-d compliance
- IT auditing and controls: A look at application controls [updated 2021]
- 6 key elements of a threat model
- Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
- Average IT manager salary in 2021
- Security vs. usability: Pros and cons of risk-based authentication
- Threat modeling: Technical walkthrough and tutorial
- Comparing endpoint security: EPP vs. EDR vs. XDR
- Role and purpose of threat modeling in software development
- 5 changes the CPRA makes to the CCPA that you need to know
- 6 benefits of cyber threat modeling
- What is threat modeling?
- First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
- How to make cybersecurity budget cuts without sacrificing security
- How to mitigate security risk in international business environments
- Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
- NY SHIELD Act: Security awareness and training requirements for New York businesses
- Time to update your cybersecurity policy?
- Ultimate guide to international data protection and privacy laws
Management, compliance & auditing
Management, compliance & auditing
The top security architect interview questions you need to know
Management, compliance & auditing
Management, compliance & auditing