How to craft a global privacy notice
How to craft a global privacy notice. A step by step guide for a multinational organisation
Introduction
Most organisations that operate globally face the rather difficult task of designing and drafting a global privacy notice that caters to multiple data protection laws at the same time, while also ensuring that its customers’ trust is not negatively impacted by an organisation’s (perceived) lack of transparency about its data collection and processing practices. A global privacy notice exacerbates the common issues that plague regular privacy notices, such as complexity and length, and has a higher likelihood of missing an element required by a certain data protection law.
Although we at Trace have extensive experience working with global clients, a single article is not able to encompass the context-specific process of drafting a global privacy notice. Here is what we can do - you can follow along as we explain how we approach this and provide you with useful tips, while also extending our expertise if needed.
Step 1: Create a ‘RoPA’ and map the flows of personal data
The starting point has to be a solid understanding of what personal data is collected by your organisation. Then, as the information flows throughout different functions within your organisation and even into third parties that you partner with, such information journeys have to be documented and well-understood. All of this is achieved by creating a Records of Processing Activities (“RoPA”), sometimes known as a data inventory, and a Data Flow Mapping Chart. These are the backbone of any data protection compliance effort and a prerequisite for a proper global privacy notice. At Trace we partner with clients to support this mapping process through an audit, and with the Trace platform can then make the RoPA evergreen.
Step 2: Identify the applicable laws and regulations
Based on the personal data that is collected, the markets where you offer your products or services, and the location of your employees, among others, we are able to identify all the data protection laws and regulations that apply to your organisation. Let’s assume that your multinational organisation of 300 employees and a global turnover of $75m is focusing on the European, Californian, and Australian markets, and processes personal datainformation of individuals located in these regions. If at least some of this collection takes place through the organisation’s website, the global privacy notice has to cover the GDPR, the CCPA as amended by the CPRA, and the Australian Privacy Act of 1988.
Step 3: Visualise all the requirements by using a global data protection law mapping chart
A full overview of all the privacy notice requirements of the applicable laws is required. A global data protection law mapping chart, such as the ones maintained by the IAPP or by DLA Piper, is a useful starting point. Unfortunately, these public tools are not granular enough when it comes to writing a privacy notice, and additional requirements and details can be found in the Guidance and Opinions published by the European Data Protection Board (“EDPB”) and the Article 29 Working Party (“WP29”), the CCPA Regulations published by the Californian Privacy Protection Agency, and the Australian Privacy Principles Guidelines published by the Office of the Australian Information Commissioner. Data protection professionals, Trace included, already have these comprehensive tools and the expertise needed to use them, which accelerate any compliance efforts undertaken by an organisation.
It is likely that you or your data protection consultant will end up creating your own comprehensive chart that only focuses on the laws applicable to your organisation. This chart would also include guidance and additional information provided by the regulators, and perhaps even insights drawn from enforcement actions.
Step 4: Identify the strictest applicable law
In this context, we often use the strictest applicable law as a baseline, and in our example this would be the GDPR. Although the objective is for your global privacy notice to cover multiple laws at the same time, it is best practice to start with the strictest one in order to be sure that all of its requirements are met. If you were to choose the CCPA as a baseline, you would be more likely to omit an element or characteristic of a privacy notice as required under the GDPR.
Step 5: Identify areas of overlap
Once we have the full overview of all the requirements, we may begin to identify the areas of overlap between the baseline law and the other applicable laws. Whenever we identify such an overlap, we might find it more efficient to rationalise the requirements. In our scenario, this means that you would comply with the requirements of the GDPR and thus satisfy the requirements of the other two laws at the same time.
For example, the GDPR (Art. 12(1)), the CCPA (Section 7003 of the CCPA Regulations), and the Privacy Act of 1988 (APP 1.3 and Chapters 1 and 5 of the APP Guidelines) have the overlapping requirement of providing the information within a privacy notice in a manner that is clear and easy to understand. Since the GDPR is our baseline, we would be using Article 12(1) and WP29’s Guidelines on Transparency to comply with this overlapping requirement. Article 12(1) states that the information should be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. Paragraphs 8-13 of the Guidelines provide further details about each of these elements:
“Concise and transparent” means the information should be presented efficiently and succinctly in order to avoid information fatigue, and be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use.
“Intelligible” means the information should be understood by an average member of the intended audience.
“Easily accessible form” means the information should be immediately apparent to them where and how this information can be accessed.
“Clear and plain language” means the information should be provided in as simple a manner as possible, avoiding complex sentence and language structures, and should not be phrased in abstract or ambivalent terms or leave room for different interpretations.
Some of the elements mentioned above can be satisfied by using the solutions mentioned in paragraphs 33-40 of the Guidelines: layered privacy notices, just-in-time notices, and privacy dashboards.
Whenever we identify an outlier, which is a requirement of other data protection laws that is not covered by the baseline law, all we have to do is independently address it. For example, the CCPA allows consumers to opt-out of the sale or sharing of personal information through Section 1798.120, and to limit the use and disclosure of sensitive personal information through Section 1798.121. None of these rights are afforded by the GDPR or the Privacy Act of 1988, which means that they will be addressed in a separate, California-specific section of the global privacy notice.
Identifying all the requirements eligible for rationalisation and the ones that act as outliers would not be feasible without a comprehensive chart that accurately maps the requirements of these laws to each other.
Step 6: Draft the global privacy notice
When we draft global privacy notices for our clients, our bespoke approach relies on a deep understanding of each client’s communication style and tone of voice, which are then aligned to the target audience on the receiving end of the notice. We also use various positive design patterns, such as layered notices, privacy icons, and many others that improve the transparency and manageability of how personal information is used by organisations. These actions increase the consumers’ trust in our clients, which is often the main enabler of conscientious privacy practices and compliance with data protection laws.
Challenges
You might be wondering what definition of personal data to use in your global privacy notice. After all, most comprehensive data protection laws around the world have different interpretations of what personal data/information is. All these interpretations are certainly essential for organisations to comprehend, but what about the actual people reading the notice? Will they appreciate the thoroughness and the CYA approach of including multiple definitions and the correct “personal data/information” designation? Or will they be confused as to why the definition of “personal data” at the beginning of the notice is different from the definition of “personal information” in the middle of it?
The target audience is likely to feel overwhelmed at the mere sight of a global privacy notice. What is the point of amplifying this feeling instead of providing a simple, overarching definition of “personal information” that aligns with the baseline law and covers all the other ones? Actually, we could go one step further: for the average individual, what is the added value of “personal information means any information relating to an identified or identifiable natural person”, when just a few lines below it they will find a list of all the categories and precise data elements that are collected? People do not care about the definition, they just want to know what gets collected, and how it gets processed. Not a single data protection law or supervisory authority requires personal data/information to be defined in a privacy notice, so why is this still a trend?
In a similar vein, the rights afforded to data subjects might come in different flavours depending on the applicable laws. Again, keep your notice clean and use a universal explanation of what each right means. People will be informed of what a certain right affords them the moment they actually initiate a request and indicate where they are located. You cannot claim you are upholding the rights of data subjects when you (accidentally) put roadblocks in place that prevent them from understanding or exercising their rights.
Conclusion
A global privacy notice is not only important because it is legally required, but also because for your customers, partners, and the regulators, a global privacy notice represents a glimpse into your organisation’s privacy maturity level. A higher (perceived) maturity level increases these stakeholders’ trust in your data collection and processing practices, which in turn opens new avenues for revenue-generating processing activities.
How Trace can help
We can help you cross the treacherous waters of global privacy notices in a holistic, pragmatic, and bespoke manner. You can also find templates online, but the difficulty lies within an organisation’s ability to understand exactly what personal information is collected, how it flows into and outside its perimeter, and how to identify the overlapping and outlier requirements of the applicable data protection laws. These actions cannot be facilitated by a simple template, but you can count on us. Don’t hesitate to get in touch with us for a discussion about your context and needs.
This article was authored by Trace privacy consultant Bogdan Barburas , CIPP/E, CIPT, CIPM, CIPP/US.
Read our privacy notice, for how we process data.