elevenM Senior Consultant Tessa Loftus discusses ways to use privacy communications to improve the value of your privacy practice and organisational reputation.
Doing privacy well is hard work, time consuming, and resource intensive. But there are ways to use privacy communications to improve your organisation’s reputation, making the hard work and good processes more visible every day (and earning you a buffer of consumer trust for when you do experience a data breach or cyber-attack).
Here are three ways to improve your privacy communications practices across the board.
1. Make it findable
The first step is to make sure information about your privacy practices is easy to find. This may seem like a basic step, but a surprising number of organisations fail at the first hurdle. In our experience, organisations that excel at findability have a privacy landing page linked in their primary footer, placed so that it is easy to see (more on the content of that page later).
Organisations that do poorly bury their privacy information in their ‘Terms and Conditions’, have poorly structured footers, or footers that are hard to access (for example, because a page is too long to scroll to the bottom, or a footer that is only available from certain locations in the website), or simply don’t include privacy information in a menu system at all.
2. Make it readable
Privacy professionals and regulators have been talking about plain English, summary policies and accessibility for many years now. The final report on the Privacy Act review has called for accessibility and plain English to be a requirement for meeting compliance obligations, so this is an area that is likely to start receiving some official attention.
- Plain English privacy policies and collection notices
- Summary privacy policies
Accessibility is an essential component of transparency and good communications, and not addressing it affects a significant number of people. As I have argued previously, for your privacy program to be “open and transparent”, it must also be accessible.
- Parent organisation/ Enterprise privacy policies
Complex organisational structures can make privacy policies complex and unwieldly. Broadly speaking, you cannot expect a consumer to read multiple privacy policies (most don’t read even the one), so if your organisation sits within a parent organisation (or is the parent organisation) best practice is to ensure that the privacy policies are consistent.
3. Provide the information that people need
Privacy policies and collection notices are required to provide specific information, and generally this is the information that people also want to know — what personal information do you collect, what are you doing with it, and how to do they contact you with issues or access requests?
A privacy landing page on your website can be an easy way to meet all these needs. Good privacy landing pages will often have ‘bite-size’ information or FAQs, with links to privacy policies and other relevant documents. It is also worthwhile investing the time/effort in good UX design, as this can make information considerably easier to find and absorb, and supports an intent of transparency.
The most important thing to remember is that you are providing this information with the intent of open communication. Using privacy communications to obscure or obfuscate questions around personal information handling practices undermines the purpose of the activity, and may do more harm than good.
Why are good privacy communications important?
Studies show people are less likely to trust organisations with poor cyber security and privacy communications. For example, the 2023 IAPP Privacy and Consumer Trust report, shows that 64% of consumers globally think that companies that provide clear information about their privacy policies enhance their trust, while only 29% of consumers said it is easy for them to understand how well a company protects their personal information.
The same report shows that 30% of global respondents think that writing in simpler language would help their understanding of an organisation’s privacy practices, while 21% said companies having user-centric webpages would help them exercise their privacy rights. At the same time, the Office of the Australian Information Commissioner reports a general downward trend in consumer trust of organisations around the handling of personal information.
Many companies have excellent communications strategies for dealing with data breaches and cyber incidents. But that is a reactive (although important) approach. A more strategic approach (and one which enhances the effectiveness of a data breach communications strategy) is to have high-quality, consumer-friendly privacy communications as your default, thus establishing your company as transparent, accountable and committed to privacy.