Is Your Privacy Policy GDPR compliant?

One of the hot topics at WordCamp London 2018 was, of course, GDPR.

I watched an enlightening talk from Heather Burns on the role of your website’s privacy policy in a GDPR context. You can find her slides for the talk here.

I’ve heard her speak before – she knows her stuff – and is one of the most straight-talking people I’ve heard speak on legal topics.

Most notably – and contrary to other talks I’ve heard, blog posts I’ve read and videos I’ve watched – she didn’t try and put the fear of god into people in the room.

She made it clear that we shouldn’t underestimate our responsibilities as website owners and creators, but not in the usual way of highlighting the HUGE punitive actions (such as €20,000,000 fines – and let’s be clear, you’ll have had to have screwed up a lot of areas – multiple times – for that to even be a consideration) that we might expect.

So let’s discuss a few points that she covered in her talk.

Website Privacy Policy approach

Traditionally, privacy policies have been hard-to-understand walls of text that are often copied from other websites as a total afterthought to a project (yup, hands up – that was definitely me – and I know you’re nodding along too).

Sometimes they’re bundled in with the “terms” page of a website – because it’s all legal “stuff” and your footer navigation will be out of balance with another link in it, right?

Heather said, quite correctly, that privacy policies are often included to prevent the rear-end of the company behind the website, and NOT the user using the website. For this reason, she’s telling us that we need to place particular focus on

  • What you say
  • How you say it
  • How you display it

Levelling up your Privacy Policy

The first thing I have to say is that any software solution claiming to make you “compliant” is probably not true.

Taking GDPR as an example, for the layman particularly, it is a VAST topic.

I wish it were the case, but a plugin, or SaaS solution isn’t going to magic it away.

However, with that said, I use a service which helps me enormously with the specific topic of website privacy policies called Iubenda*. You can check it out on this very website by scrolling right to the bottom of the page, and clicking ‘Privacy Policy’.

After watching Heather’s talk, I decided to delve a little deeper into Iubenda* to make sure it’s on par with her points, and I was pleasantly surprised.

What you say in your privacy policy

The “what you say” section was broken into 2 parts.

The first part (entitled “essential facts”), was definitely applicable to every single website that exists (and this is what, in my opinion, Iubenda* handles well). We’ll see why, shortly.

The second part (entitled “as you grow”) was, as the title would suggest, for larger businesses. This covered mostly the exercise of documenting your operating procedures, data you receive from 3rd-parties and industry regulatory disclosures within your website’s privacy policy. This is something that cannot be provided by an off-the-shelf plugin in any way.

What should be included in your privacy policy?

The services you use might differ from mine, so this breakdown is by no means exhaustive.

Referring, again, to Heather’s slides, she stated that we must include:

  • Who you are and how people can contact you
  • What personal data you collect
  • What categories of data you collect (more information on what these categories might be from the ICO here)
  • The consent or legal basis for collecting this data
  • Who the data is shared with
  • How long you keep the data
  • What right to access people have over their data

Let’s see how Iubenda* handles this with some screenshot of the published privacy policy, as per this site.

Who you are and how people can contact you

An easy one to start with.

GDPR Privacy Policy - who you are and how people can contact you

What personal data you collect

Again, fairly straightforward, but perhaps it’s not entirely clear how much detail is required. Website Privacy Policy - What personal data is collected

GDPR Privacy Policy - What personal data is collected?

What categories of data you collect

This wasn’t visible to me in the privacy policy. It might be that I’m not using any services that contain any of the “special” categories as defined by the ICO, such as race, gender, sexual orientation or biometric data. If you do collect this data, and use Iubenda*, please get in touch and I’ll update the article.

The consent or legal basis for collecting this data

This doesn’t seem to be included yet, but is the top “hot topic” on the Iubenda* feature suggestion board. With May 25th – the GDPR enforcement data – looming, I hope to see this pushed through.

Iubenda Privacy Policy Generator UserVoice Forum

Who the data is shared with

For 3rd-party services, such as Google Analytics, Iubenda* does a good job at making this transparent.

GDPR privacy policy - who processes data

How long you keep the data

A little vague, and could certainly be improved, but it’s there.

GDPR compliant privacy policies - How long is data retained?

What right to access people have over their data

Perhaps a little vague, but I feel it’s sufficient. Perhaps, however, the language could be improved to make it a little more friendly.

GDPR-compliant website privacy policy - the rights of users

In conclusion

While I have really got on board with GDPR as a concept, and have spent a lot of time researching the topic and discussing with others, I don’t enjoy spending my time on it. I want to spend my time building stuff.

There are certainly areas for improvement, but for me personally, Iubenda* gets me much closer to where I should be than if I had to write it (and update it – Iubenda* occasionally refreshes service policies as and when the services themselves change).

I hope also to see further improvements to it as the GDPR enforcement data gets nearer.

Check them out and see what you think.

Finally, a massive thanks to Heather for the work she does in the community – especially for the non-scaremongering, straight-talking approach.

* Signing up through links with an asterisk will mean I receive a small commission.

There are very few paid-for services/tools that I recommend, but if I do, it's because I use them and they have helped me or my business in some way and I feel might help you too.

The price of the service doesn't change.

If I choose to recommended something, I do so whether they've got an affiliate program or not.

If you found this article interesting, I'd really appreciate if you'd share this article with people you think would also enjoy it.

Leave a Comment