Are you Getting Noticed?

Published on November 18, 2021

Are You Getting Noticed?

Privacy compliance obligations are becoming increasingly onerous on global and even US based companies. The European Union’s General Data Protection Regulation (“GDPR”) is often seen as the gold standard of privacy frameworks as evidenced by its influence on other privacy laws such as California’s Consumer Privacy Act (“CCPA”) and even Brazil’s General Personal Data Protection Law (“LGPD”).

[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]

Unfortunately, the GDPR, and laws modeled after it, are highly complex. For instance, the GDPR has eleven chapters, containing 99 articles. Because of the complexities and nuances of existing and emerging privacy regulations, we, at Advisori, are often asked by our clients where to start with privacy compliance. We believe the first step is knowing what personally identifiable information (“PII”) the business possesses and what it is doing with it. Next is developing a data privacy/protection strategy based on governing privacy regulations, existing capabilities, and available resources.

The second step is memorializing the above in a written privacy policy and privacy notice. We often see privacy policies and notices being conflated. While related, it is important to understand that privacy notices and privacy policies are distinct concepts with different requirements. In this blog, we focus on privacy notices.

A privacy policy is an internal resource, which should instruct employees on the organization’s rules related to PII. In contrast, a privacy notice is a publicly facing document advising potential and existing customers, website visitors, and others on the organization’s PII collection, use, and related privacy practices; more specifically, what categories of PII the organization is collecting and who it is collecting this data from; how it is collected, who it is shared with, what legal basis the organization has for collecting the data, when the data is purged, and what rights the data subject has regarding the collection and use of their data.

Considered a best practice, we believe an organization should publish a privacy notice in most cases, even where the law does not mandate it. Articles 12, 13, and 14 of the GDPR address the requirements of privacy notices.

At a high-level, a privacy notice should include sufficient information so that the data subject can understand what personal data is being collected, why it is being collected, what is it being used for, how long it is being retained, and the data subject can restrict the processing of her data and even withdraw her consent.

We note, however, many regulators consider privacy notices a contractual promise by the organization to the data subject. Therefore, a privacy notice must be both accurate and transparent. The GDPR requires plain-language privacy notices, void of legalese or terms buried in poorly-structured paragraphs. Furthermore, privacy notices should use definitive language – not qualifiers such as “may,” “might,” “some,” often,” ”usually,” etc., as these terms can be viewed by a regulator as purposefully vague.

Privacy notices should be conspicuously labeled as “PRIVACY NOTICE” and should be in writing, placed on the organization’s website (on the same page where data collection occurs) and be available orally upon request both to ensure adequate comprehension by the reader and to aid the visually impaired.

The following elements should be included in a Privacy Notice.

  • Contact information for the representative/data protection officer;
  • Purpose and legal basis for processing personal data;
  • The legitimate interests of the organization (or third party);
  • Recipient or categories of recipients of personal data;
  • Details related to any inter-country transfers of personal data, as well as procedural safeguards in place;
  • The duration that the data is being kept (retention period), or the criteria under which data is retained;
  • The existence of the rights of the person from whom data is collected (referred to as a data subject under GDPR);
  • The right to withdraw consent;
  • The right to initiate a complaint with the supervisory authority;
  • Whether the personal data pertains to a statutory or contractual right and the potential consequences for failing to provide the necessary data (this is not required if data comes from a third-party);
  • The existence of any automated decision-support/decision-making system; how the system has been set up, its overall process, and any resulting consequences;
  • If data is obtained via third-party, then privacy notice must advise the categories of personal data that is being collected; and
  • When the privacy notice was last updated.

Picture

Picture

Privacy Notice Challenges

Drafting and updating privacy notices are time-consuming and risky for a number of reasons. From a legal perspective, there are numerous country/region-specific privacy laws and a rapidly growing number of state-specific US privacy laws. As such, businesses operating in multiple jurisdictions may need to comply with more than just one privacy law/regulation. For instance, California has specific privacy notice requirements unique to that state. Many businesses do not have in-house privacy counsel to draft and maintain privacy notices and outsourcing such work to a law firm can be costly.

Furthermore, privacy notices are dependent on the business’s data. The categories of PII collected by a business, as well as the business’s use of such data, often change as the business evolves. Maintaining an accurate manual data catalog and keeping the privacy notice synced with the business’s ever-changing data collection/processing is often an untenable task, even for small businesses. The bottom line is, a privacy notice is only as good as a business’s understanding of its data assets to include PII provided by and shared with its customers, vendors, and business partners.

The above effort is even more complicated for larger businesses with segmented departments like product development, marketing, sales, etc., as each group has its own needs and purposes for collecting and processing PII. Moreover, a business can have multiple subsidiaries requiring the use of multiple websites, each with its own set of cookies and other data collection and user tracking technologies.

For the reasons outlined above, privacy notice management is a significant task. Relying on a manual process to do so is often time-consuming and tedious. Aside from the reputational risks associated with inaccurate or incomplete privacy notices, the business is further exposed to regulatory violations and related penalties when failing to have an accurate and transparent privacy notice.

How Advisori Can Help.

Advisori has the people, processes, and technology necessary to assist our clients with managing their privacy notices. Using Securti.ai’s secure privacy portal, we collaborate with all necessary stakeholders to assist in the selection of the appropriate privacy notices from our extensive template library. We then tailor the chosen privacy notice to business operations to ensure a regulatory compliant, accurate, detailed, and transparent public-facing Privacy Notice.

[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]

We also give our clients the option of AI-powered robotic automation and data intelligence, which enables a continuous scan of data stores and an automatic updating to any changes to the collection, processing, sharing, selling, or retention of personal data. These updates are then pushed to the business’s published privacy notice, thereby allowing real-time updates. This can even include cookie related updates as well.

Reach out to us at [email protected] to learn more.