What GDPR means for publishers’ privacy policies

GDPR is almost upon us, if you haven’t updated your privacy policies yet, here’s what you need to know and how to get it done quickly.

If you’re not GDPR-compliant already with your privacy policy, you’re running out of time – fast. If that is the case, then here’s some advice and guidance about how to get your policies up to scratch as quickly as possible.

First, the bad news. There isn’t a quick fix. You can’t simply cut and paste a privacy policy from somewhere else. You have to be explicit about exactly what you do with data, and every business is different and will be using subscriber and visitor data in different ways. So your policy has to be bespoke. However, there are resources you can turn to for help. A key starting point is the Information Commissioner’s Office (ICO) which offers a wealth of advice, including checklists of things that need to be included/covered in your privacy.

Sophie Chase-Borthwick, global lead – GDPR services at data optimization and privacy specialists, Calligo, explains. “The ICO has a lot of good resources and guidance. However, they can’t give too many hard and fast examples as they know perfectly well people will simply copy it verbatim. The reality is that some companies are very basic and old school when it comes to data, whereas others do impressive things with demographics and analytics. Each one of those will have very different privacy notice requirements.”

While you can’t copy someone else’s policy wholesale, you can look at what works and what doesn’t for other publishers. Of the big publishers, Chase-Borthwick cites the BBC as a good starting point to see how to get it right, certainly in terms of look and feel.

“While there is no finite guidance on length, you’re privacy policy needs to be navigable,” she explains. “So make it easy to follow, use different sections that link through to more detailed explanations. Or even do a precise of your policy and link though to the full policy – this is what the BBC does and it works well.”

She adds that while you don’t have to have your cookie policy and privacy policy in same place, if your cookie policy involves personal data collection you do need to have them closely tied together.

However, the biggest challenge around privacy policies is likely to be one of culture shock. The reality is, we’ve been used to doing things a certain way for so long and GDPR is turning that on its head. Incomprehensible legalese is out, as is burying your privacy policy somewhere remote on your site or hiding things in small print. Instead everything needs to be easy to find and easy to read – we’re talking plain English here.

The acid test is, can the average “person on the street” go onto your website, find your privacy policy easily and then come away having understood exactly what it is you are doing with their data? If that’s not the case, you’re going to fall foul of GDPR. So, if your privacy policy has been written by your legal team, get it reviewed now by the marketing department or a copywriter to make sure it’s in PLAIN English.

Under GDPR, any time anyone properly engages with your website – not just reading, but wanting to know more and signing up – then you need to have your privacy notice right up there. You need to let them know up front what you do with their data. If they have to go and search for this then, again, you are going to fall foul of GDPR.

Another area where publishers are potentially likely to be caught out is the need to declare if they pass information between magazines under the same company umbrella.

“Just because someone subscribes to one title doesn’t mean you are allowed to pass data between that and another title without full disclosure,” explains Chase-Borthwick. “GDPR is very clear on this, affiliate companies within the same structure are still considered external third parties. The only way this would not apply would be if all titles were part of the same legal entity.”

So tell people clearly if you are sharing details. This doesn’t mean vaguely skirting round the point by saying “we may share your details with some of our affiliates”, you need to say “we will share your data with affiliates within our parent company”. Again, this is all about plain English.

This links to the final point Chase-Borthwick raises. What we’ve been talking about so far is what is officially termed an Article 13 privacy notice. This is where the organisation gets its information directly from the “data subject”, i.e. if someone subscribes directly to your magazine. An Article 14 notice, on the other hand is where that data is acquired from a third party, including your affiliates.

“If you contact someone that came to you via someone else, then the first time you contact them you have to include your Article 14 privacy notice – even if it’s just a URL,” says Chase-Borthwick. “Although mostly the same as an Article 13 notice, you also have to disclose exactly where you got the data from. So if you are passing data between affiliates this makes it much more transparent for the end user.”

GDPR is all about transparency and plain speaking. While it may be a culture shock it’s about how we would all want our data treated as consumers. And we know it’s the world we want to live in otherwise Mark Zuckerberg wouldn’t be in front of the Senate.

————

Editor’s note: At WNIP we spent many hours, too many to mention, crafting our own GDPR-compliant privacy policy. It was a hybrid approach based on interviews and podcasts we undertook with legal data & privacy specialists in the City of London; our own research into other website’s privacy policies, some of which are industry-leading in their transparency, clarity and openness; as well as free resources and ‘how to’ guides including WikiHow and HubSpot amongst notable examples. We also leaned heavily on the Information Commissioner’s Privacy Notices in Practice guidance which is an excellent starting point and contains what it describes as ‘good and bad examples‘.

 

Pete Roythorne is a founding partner of communications agency three-sixty. He is also a renowned writer and has written extensively on marcomms, ad tech and IT security, contributing to a wide range of titles, including the Financial Times, Marketing Week and Campaign.