General - March 11, 2020
Who creates your Privacy Notice?
419, 419, Team Picture, Team-Picture.jpg, 754427,,, , 2, , , team-picture, inherit, 418, 2020-03-11 16:18:31, 2020-03-11 16:18:31, 0, image/jpeg, image, jpeg,, 3600, 2400, Array

We insure hundreds of agencies, many of which focus on web development. For those companies our discussions normally revolve around Professional Indemnity insurance, and how it protects them for legal action arising from all sorts of issues. One interesting question raised recently related to how agencies advise their customers on the privacy notices displayed on their websites. 

Getting that wrong, even as simple as using an “off the shelf” notice that doesn’t fit the business, could lead to a Professional Indemnity claim. I’m not convinced all agencies are aware of that risk, so we asked one of our partners who specialises in GDPR and data compliance to give us his input

A common conversation I have with clients is around the relevance of their website’s privacy notice.

It usually goes something like this:

Paul:  “I’ve had a look at the Privacy Notice you show on your website and it really doesn’t meet the requirements of GDPR Article 13, you need a rewrite.”

Client:  “Yeah, not sure where that one came from to be honest – I think the web developers put it there.”

Super.  The single most critical and visible aspect of your GDPR compliance state has been created and posted by someone who is no doubt an absolute wiz on UX and a superb designer but………who knows nothing about Article 13, nor your data processes, purposes, lawful bases, retention policies, or applicable subject rights.  You have then just let that happen and put it out as a live document in the public domain.

So what happens when a subject access request lands and you have to supply a copy of the privacy notice along with the personal data?  Maybe that even ends up being sent to the data subject’s lawyer who does know what is required under Article 13?  Problems for the client – potentially leading to compensation claims and even sanctions from the regulator.

Of course the client will then lay all that liability at the door of the web developers who put it there, are they insured for that?

Learning points:

  •  If it’s your website own the privacy notice – make sure you review it if it is created externally and that it accurately reflects your business and meets the requirements of Article 13,
  •  if you are the web developer then don’t just put boilerplate copy there, talk to a GDPR Practitioner who can do this work for you and help you provide a valuable service to the client and mitigate consequential risks.

And lastly – call it a Privacy Notice (not a policy, it is meant to inform not compel) and put it somewhere people will see it when they are providing personal data (hint:  that’s not at the bottom of the page).

Paul Strout is the Owner and Chief Consultant at GDPR Assist. Anyone interested in learning more about this subject can contact him here
Photo by Leon on Unsplash

Latest blog posts

Read more
Contact Us

Have your own insurance challenge?

Get in touch with the RiskBox team for a solution.
You can reach us on 0161 533 0411 or
Alternatively, click the button below and fill in our contact form.
Chat with us