COULD A POORLY-DRAFTED PRIVACY STATEMENT BE DAMAGING YOUR BUSINESS?

Your privacy statement is a window display that gives out strong clues about how well or how badly you do data protection. What does your window display say about you?

COULD A POORLY-DRAFTED PRIVACY STATEMENT BE DAMAGING YOUR BUSINESS?

This morning, not for the first and not for the last time I’m sure, I advised a client to discount a potential new supplier after reading their privacy statement. The supplier has no idea that they just lost a potentially very big sale because their statement was not up to scratch. But the statement contained enough clues that this company did not take data protection legislation seriously that I very quickly assessed that my client could expect to have significant difficulty getting this supplier signed up with a GDPR-compliant data processing agreement in place.

YOUR PRIVACY STATEMENT COULD BE WARNING POTENTIAL CUSTOMERS THAT GETTING A DATA PROCESSING AGREEMENT IN PLACE WITH YOU COULD BE DIFFICULT

We have enough experience of trying to get suppliers to take the data processing contract content seriously – and ultimately failing.  It costs our clients time and money. So these days we just don’t go down that road. If the warning signs are there from the beginning, we suggest looking around the market.

Your Privacy Statement does more than just inform data subjects about how you process their data. It’s a window into your compliance activities. That’s why it's our first port of call when we are evaluating data processors. It is full of clues about where your weaknesses might lie, and it helps us to identify where to start an evaluation.

LET’S TAKE A REAL-LIFE EXAMPLE SO YOU CAN SEE HOW THE PROCESS WORKS

Last month I was asked to help evaluate some options for desktop communications tools that a client wanted to introduce into their business. Before we ever asked for a product demo, I went onto the websites of the three tools that my client was interested in evaluating.

One of the privacy statements talked about PII and personal data interchangeably. It had some definitions at the start of the statement and then about half-way through some more definitions including a repeat of an earlier term with a new take on what it meant. My educated guess was that the statement was cobbled together from at least two sources.

Here lie some tell-tale clues that the company had not taken any professional advice. Chances are as a result they have made fundamental mistakes in their compliance program which would take us time and effort to iron out with them. 

It also told me that the company probably does not take compliance as seriously as they should. It could be folly to enter a relationship with them as a processor because they may not be capable of responding adequately to a data breach or supporting any data subject access requests we receive. That could tarnish our client’s reputation and it’s a risk not worth taking.

Another privacy statement talked about being a “joint processor”. So, we all know that’s not a thing. Here’s a helpful indicator that my client would be facing into an uphill battle and spending time and energy negotiating data processing agreements from first principles because what are the odds their data processing agreement (if it exists) will identify them as a joint processor. That supplier played in a busy market with lots of competition and guess what, they didn’t make the shortlist for assessment.

It’s worth putting some time and effort into your privacy statement because for us privacy professionals it’s a shop window into your compliance program. It provides some useful clues about when it’s worth continuing to evaluate a potential supplier and when it’s better to walk away often before they even know we were interested.

QUICK TIP: MANY COMPANIES GET THIS TERMINOLOGY WRONG AND IT CAUSES CONFUSION

Privacy Policy is an internal document that the company uses to set and communication its policy around the collection and processing of personal data

Privacy Statement is a communication to your customers/website users/ service users that communicates to them why and how you process their personal data and what rights they have in relation to that processing

Privacy Notice is a term we use for privacy statements you provide to your employees. It’s a convenient way to distinguish between employee communication and external customer-facing communication.

If you are a software company working towards being acquired check us out next month as Tricia will be outlining how data protection compliance is being evaluated in the acquisition due diligence process.

Join Our Newsletter

Sign-up to receive news and information from Fort Privacy

Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information

AI: THE DOUBLE-EDGED SWORD OF CHANGE

12 June 2024

My personal favourite old Chinese curse, "May you live in interesting times," feels particularly relevant these days. Our world is changing, with both exciting possibilities and daunting challenges emerging on every front. Change, after all, is a double-edged sword. And amidst this whirlwind of change, a new force is rapidly taking shape: Artificial Intelligence.

Crash, Bang, Wallop! What happens when Artificial Intelligence meets GDPR?

07 March 2024

As a technologist, I am both excited and appalled at the developments in AI and it seems from various surveys that I am not alone. My greatest wish is that we can harness its power for good while dampening its power for misuse. It is early days yet – let’s hope this wish comes true!

The Great 2024 GDPR Quiz!

08 January 2024

Everyone loves a quiz so we decided we would kick-off the new year with a bit of tongue-in-cheek fun.

Scroll to top