A rational privacy notice template

Our research into compliance with Articles 13 and 14 of the GDPR, initially published in early 2021, clearly showed that many businesses were failing to create online privacy notices that fulfilled the intended purpose of the Articles — that of assisting data subjects in exercising their statutory rights under the legislation — and there has been little if any evidence of improvement since that report was published. Clearly, there is a lack of necessary guidance, the wording of the Regulation itself never having been of much assistance, and the prospect of complaints about lack of clarity leading to regulatory action remains as present as ever.

To assist in resolving this issue, as a service to the business community we have devised a structure template for a rational privacy notice, and have made it freely available for use, and for distribution in its unmodified form, under the Open Content License. The template imposes a hierarchical structure on the information required by Articles 13 and 14 to ensure completeness and clarity.

The first thing we should recognise that, for the sake of clarity, a separate privacy notice is needed for each category of data subject (web site visitors, enquirers, established customers, suppliers, staff, etc.). Otherwise, data subjects will have to plough through volumes of text to find the information relevant to their specific relationship to the data controller. This point has widely been ignored — indeed the most egregious examples we encountered in our research were in excess of 30,000 words long, covering all categories of data subject without clear distinction between them.

Our investigations have ultimately established that the most effective primary reference point for each category of data subject is the lawful basis for processing. This makes sense, as that is what decides which rights and remedies they can exercise in respect of any specific processing. As selection of the appropriate lawful basis is also the key consideration for data controllers because only one lawful basis may be assigned to a given processing purpose and it can be complicated and expensive to change once declared, this entry point optimally supports the requirements of both parties. Consequently, that, rather than the data categories as commonly presented, is the rational entry point to the structure.

The template includes guidance notes. Nevertheless BiR can offer further guidance if required. Please email with the nature of your query in the first instance.

Download the free template

NOTE: this template has been provisionally accepted for consideration by the Parliamentary Science, Innovation and Technology Committee in connection with the proposed revision of UK Data Protection legislation.

Mike Barwise
Director, BiR
01/08/2023

All content and presentation (excepting public domain and credited images) © 2001-2024 Michael Barwise or © 2007-2024 Sapientior Ltd
‘Business Information Risk Management Consulting’ and the BiR logo are service marks of Sapientior Ltd Registered in England & Wales, Company Number 6214497