Privacy policy or privacy notice?

Pile of folders1

Occasionally I get asked "should I have a privacy policy or a privacy notice?".

And the answer is usually "both" (or, at least, things which have the same effect).

If you're not sure what the difference is, or whether you've got the right things in place for your business, read on...

A privacy policy

One of the requirements of the GDPR is that you must be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. This is known as "accountability".

One aspect of this is a set of policies which explain your organisation's approach to compliance with the GDPR's principles, and a set of processes which set out how you will do this.

Your policies may not change too much, but you will change your processes as your organisation changes the way in which it processes personal data.

These are often — but not always — internal-facing documents, for you and your business.

Make sure you have a policy about reviewing your policies and processes, and you keep a log of when you have reviewed them, and what you have changed – this is, in itself, part of accountability.

If you have something as fancy as a product development cycle, you'll want to tie in a review of your processes, if not your policies, with that, to make sure you're not in a position where they are out of kilter with what you are doing in practice.

(Accountability means more than just some paperwork — depending on your business, potentially quite a lot more. The ICO has a beta "Accountability framework" which should help you in the right direction, and we can help you design a framework appropriate to your business's particular needs.)

A privacy notice

A privacy notice is a common way of meeting the GDPR's transparency obligations. For example, our privacy notices are here.

Better still is to communicate the key transparency information contextually.

This means explaining what you are doing with personal data clearly and simply at the point at which the user is giving it to you, or when you first process it. That way, you can be specific, and avoid a notice full of "we may [do this]" and "if we do [whatever]".

Here's our guide to preparing privacy notices in three simple steps.

As with your policies and processes, you'll need to keep these up to date, and having a documented process for doing is important from an accountability perspective.

The emphasis is on delivering the right information at the right time, not the form of the delivery, so you don't need a "privacy notice" as long as you deliver the required information in a different way.

Does it matter what I call them?

Not really, no.

I find it easier to conceptualise them as "business-facing" policies and processes and "data subject facing" notices and transparency information.

The ICO talks in the language of internal "policies and procedures", so using something similar to the language used by the ICO might be helpful in the event of an investigation. But that's a bit of stretch: what they contain is more important that what they are called, so focus on demonstrating accountability, and meeting your obligations around transparency, rather than worrying about a name.

  1. This image is made available through the CC0 Public Domain Dedication↩︎