Updating website privacy statements for the GDPR
Data Protection laws are undergoing a major upgrade when the GDPR (General Data Protection Regulation) supersedes the Data Protection Act on the 25th May 2018.
Visitors would need to set aside 244 hours a year to read the privacy statement of every website they visited
The length of some of these privacy statements is a big problem. Research by Professor Lorrie Cranor of Carnegie Mellon University suggested visitors would need to set aside 244 hours a year to read the privacy statement of every website they visited.
The GDPR attempts to tackle this, not by addressing lengthy policies, but by requiring websites to state the most important points in an easy to read format at the point where personal data is collected and/or consent is required. The GDPR states that organisations that collect personal data must provide information that is:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
If you run a website, you might not think you are collecting personal data, but be aware of cookies being used by the systems that power your website. For example, do you use Google Analytics to monitor usage? Does the Content Management System you use collect user data? Is there a sign up to an email list?
Check what you collect and start planning now for these changes. More information and some useful examples can be found on the Information Commissioner’s Office at ico.org.uk.