Before roll out
Carrying out user testing will provide useful feedback on a draft privacy notice. This is where you select a sample of your customers and ask them to use your privacy notice to obtain their feedback on:
- how they used it;
- if they found it easy to understand;
- whether anything was difficult, unclear or they did not like it; or
- if they identified any errors.
Asking your customers to do this will help you improve the effectiveness of your privacy notice. You are likely to come up with a far more useful and engaging product if you consider feedback from the people it is aimed at.
You may produce a privacy notice that is based on assumptions you have made about a user’s journey around your website. However, during your user testing you identify that people are often directed to a specific page straight from a third party search engine and therefore miss some of the privacy information that you have supplied on your homepage. Having identified this, you can ensure that your privacy information is correctly connected together so that individuals do not miss anything important. For example, you can provide a link to your full privacy notice in all your just-in-time notices so that an individual can see the important message at that point in the journey but can also refer back to the full document to see if they have missed anything.
Having made any changes to your privacy information as a result of user testing, you are then ready to roll it out using the tools and approaches you have selected.
After roll out
It is good practice to regularly review your privacy notice.
- ensure that it remains accurate and up to date;
- analyse complaints from the public about how you use their information and in particular any complaints about how you explain your use of their information;
- check that your privacy notice actually explains what you do with individuals’ personal data; and
- update your privacy notice to reflect any new or amended processing.
As well as regular reviews, you should review your privacy information whenever you change or update a process. This follows the concept of privacy by design and you should incorporate this approach into your processes. You should check whether or not your changes impact upon what privacy information you provide and if they do, amend your privacy information appropriately. If you are relying on consent for your processing, you may also need to ask data subjects for their consent as well.