COULD A POORLY-DRAFTED PRIVACY STATEMENT BE DAMAGING YOUR BUSINESS?

This morning, not for the first and not for the last time I’m sure, I advised a client to discount a potential new supplier after reading their privacy statement. The supplier has no idea that they just lost a potentially very big sale because their statement was not up to scratch. But the statement contained enough clues that this company did not take data protection legislation seriously that I very quickly assessed that my client could expect to have significant difficulty getting this supplier signed up with a GDPR-compliant data processing agreement in place.

YOUR PRIVACY STATEMENT COULD BE WARNING POTENTIAL CUSTOMERS THAT GETTING A DATA PROCESSING AGREEMENT IN PLACE WITH YOU COULD BE DIFFICULT

We have enough experience of trying to get suppliers to take the data processing contract content seriously – and ultimately failing.  It costs our clients time and money. So these days we just don’t go down that road. If the warning signs are there from the beginning, we suggest looking around the market.

Your Privacy Statement does more than just inform data subjects about how you process their data. It’s a window into your compliance activities. That’s why it's our first port of call when we are evaluating data processors. It is full of clues about where your weaknesses might lie, and it helps us to identify where to start an evaluation.

LET’S TAKE A REAL-LIFE EXAMPLE SO YOU CAN SEE HOW THE PROCESS WORKS

Last month I was asked to help evaluate some options for desktop communications tools that a client wanted to introduce into their business. Before we ever asked for a product demo, I went onto the websites of the three tools that my client was interested in evaluating.

One of the privacy statements talked about PII and personal data interchangeably. It had some definitions at the start of the statement and then about half-way through some more definitions including a repeat of an earlier term with a new take on what it meant. My educated guess was that the statement was cobbled together from at least two sources.

Here lie some tell-tale clues that the company had not taken any professional advice. Chances are as a result they have made fundamental mistakes in their compliance program which would take us time and effort to iron out with them. 

It also told me that the company probably does not take compliance as seriously as they should. It could be folly to enter a relationship with them as a processor because they may not be capable of responding adequately to a data breach or supporting any data subject access requests we receive. That could tarnish our client’s reputation and it’s a risk not worth taking.

Another privacy statement talked about being a “joint processor”. So, we all know that’s not a thing. Here’s a helpful indicator that my client would be facing into an uphill battle and spending time and energy negotiating data processing agreements from first principles because what are the odds their data processing agreement (if it exists) will identify them as a joint processor. That supplier played in a busy market with lots of competition and guess what, they didn’t make the shortlist for assessment.

It’s worth putting some time and effort into your privacy statement because for us privacy professionals it’s a shop window into your compliance program. It provides some useful clues about when it’s worth continuing to evaluate a potential supplier and when it’s better to walk away often before they even know we were interested.

QUICK TIP: MANY COMPANIES GET THIS TERMINOLOGY WRONG AND IT CAUSES CONFUSION

A Privacy Policy is an internal document that the company uses to set and communication its policy around the collection and processing of personal data

A Privacy Statement is a communication to your customers/website users/ service users that communicates to them why and how you process their personal data and what rights they have in relation to that processing

A Privacy Notice is a term we use for privacy statements you provide to your employees. It’s a convenient way to distinguish between employee communication and external customer-facing communication.

If you are a software company working towards being acquired check us out next month as Tricia will be outlining how data protection compliance is being evaluated in the acquisition due diligence process.