We insure hundreds of agencies, many of which focus on web development. For those companies our discussions normally revolve around Professional Indemnity insurance, and how it protects them for legal action arising from all sorts of issues. One interesting question raised recently related to how agencies advise their customers on the privacy notices displayed on their websites.
Getting that wrong, even as simple as using an “off the shelf” notice that doesn’t fit the business, could lead to a Professional Indemnity claim. I’m not convinced all agencies are aware of that risk, so we asked one of our partners who specialises in GDPR and data compliance to give us his input
A common conversation I have with clients is around the relevance of their website’s privacy notice.
It usually goes something like this:
Paul: “I’ve had a look at the Privacy Notice you show on your website and it really doesn’t meet the requirements of GDPR Article 13, you need a rewrite.”
Client: “Yeah, not sure where that one came from to be honest – I think the web developers put it there.”
Super. The single most critical and visible aspect of your GDPR compliance state has been created and posted by someone who is no doubt an absolute wiz on UX and a superb designer but………who knows nothing about Article 13, nor your data processes, purposes, lawful bases, retention policies, or applicable subject rights. You have then just let that happen and put it out as a live document in the public domain.
So what happens when a subject access request lands and you have to supply a copy of the privacy notice along with the personal data? Maybe that even ends up being sent to the data subject’s lawyer who does know what is required under Article 13? Problems for the client – potentially leading to compensation claims and even sanctions from the regulator.
Of course the client will then lay all that liability at the door of the web developers who put it there, are they insured for that?
And lastly – call it a Privacy Notice (not a policy, it is meant to inform not compel) and put it somewhere people will see it when they are providing personal data (hint: that’s not at the bottom of the page).