A common conversation I have with clients is around the relevance of their website’s privacy notice.

It usually goes something like this:

Paul:  “I’ve had a look at the Privacy Notice you show on your website and it really doesn’t meet the requirements of GDPR Article 13, you need a rewrite.”

Client:  “Yeah, not sure where that one came from to be honest – I think the web developers put it there.”

Super.  The single most critical and visible aspect of your GDPR compliance state has been created and posted by someone who is no doubt an absolute wiz on UX and a superb designer but………who knows nothing about Article 13, nor your data processes, purposes, lawful bases, retention policies, or applicable subject rights.  You have then just let that happen and put it out as a live document in the public domain.

So what happens when a subject access request lands and you have to supply a copy of the privacy notice along with the personal data?  Maybe that even ends up being sent to the data subject’s lawyer who does know what is required under Article 13?  Problems for the client – potentially leading to compensation claims and even sanctions from the regulator.

Of course the client will then lay all that liability at the door of the web developers who put it there, are they insured for that?

Learning points:

•  If it’s your website own the privacy notice – make sure you review it if it is created externally and that it accurately reflects your business and meets the requirements of Article 13,
•  if you are the web developer then don’t just put boilerplate copy there, talk to a GDPR Practitioner who can do this work for you and help you provide a valuable service to the client and mitigate consequential risks.

And lastly – call it a Privacy Notice (not a policy, it is meant to inform not compel) and put it somewhere people will see it when they are providing personal data (hint:  that’s not at the bottom of the page).