GDPR is almost upon us, if you haven’t updated your privacy policies yet, here’s what you need to know and how to get it done quickly.
Sophie Chase-Borthwick, global lead – GDPR services at data optimization and privacy specialists, Calligo, explains. “The ICO has a lot of good resources and guidance. However, they can’t give too many hard and fast examples as they know perfectly well people will simply copy it verbatim. The reality is that some companies are very basic and old school when it comes to data, whereas others do impressive things with demographics and analytics. Each one of those will have very different privacy notice requirements.”
While you can’t copy someone else’s policy wholesale, you can look at what works and what doesn’t for other publishers. Of the big publishers, Chase-Borthwick cites the BBC as a good starting point to see how to get it right, certainly in terms of look and feel.
Under GDPR, any time anyone properly engages with your website – not just reading, but wanting to know more and signing up – then you need to have your privacy notice right up there. You need to let them know up front what you do with their data. If they have to go and search for this then, again, you are going to fall foul of GDPR.
Another area where publishers are potentially likely to be caught out is the need to declare if they pass information between magazines under the same company umbrella.
“Just because someone subscribes to one title doesn’t mean you are allowed to pass data between that and another title without full disclosure,” explains Chase-Borthwick. “GDPR is very clear on this, affiliate companies within the same structure are still considered external third parties. The only way this would not apply would be if all titles were part of the same legal entity.”
So tell people clearly if you are sharing details. This doesn’t mean vaguely skirting round the point by saying “we may share your details with some of our affiliates”, you need to say “we will share your data with affiliates within our parent company”. Again, this is all about plain English.
This links to the final point Chase-Borthwick raises. What we’ve been talking about so far is what is officially termed an Article 13 privacy notice. This is where the organisation gets its information directly from the “data subject”, i.e. if someone subscribes directly to your magazine. An Article 14 notice, on the other hand is where that data is acquired from a third party, including your affiliates.
“If you contact someone that came to you via someone else, then the first time you contact them you have to include your Article 14 privacy notice – even if it’s just a URL,” says Chase-Borthwick. “Although mostly the same as an Article 13 notice, you also have to disclose exactly where you got the data from. So if you are passing data between affiliates this makes it much more transparent for the end user.”
GDPR is all about transparency and plain speaking. While it may be a culture shock it’s about how we would all want our data treated as consumers. And we know it’s the world we want to live in otherwise Mark Zuckerberg wouldn’t be in front of the Senate.