Anne-Marie Hayden

Guidance on consent often emphasizes that notices need to be in plain, easy-to-understand language for the consent to be meaningful. The thing is, the guidance doesn’t often tell you exactly how to do that.

In a recent speech to records and information management professionals, I offered a few concrete tips on how to improve your privacy communications.

Here are my top 10 takeaways:

1. You’re almost always writing for online, so apply best practices in web writing when drafting privacy notices and policies.
2. Make sure your sentences are short and concise, with one idea each.
3. Use action words and avoid the passive voice.
4. Eliminate jargon, acronyms and abbreviations.
5. Use sub-heads – they make your text scannable.
6. Use bullets and numbered lists instead of paragraphs.
7. Lead with the “top tasks” – the main reason people go to that page.
8. Use layers to point to more in-depth information.
9. Ask someone who’s less familiar with your subject matter to review.
10. Run your content through readability and accessibility tests that are available on most word processors.

Applying these best practices can help your organization be more clear and transparent about its privacy practices. Even easier… you can reach out to us, at nNovation LLP, for help with it.

I participated on a panel recently, at an event organized by Wirewheel and with some other distinguished folks, to explore the idea of the chief privacy officer as spokesperson. The event was under Chatham House rules, so I can’t provide a play-by-play of the conversation, but I did want to take a moment to share some thoughts I had on this topic, leading up to and during the event.

Let’s start by considering a few things we know: that people care about their privacy – otherwise, there wouldn’t be laws and we wouldn’t be in business; that more and more, people want to do business with organizations they feel are ethical; that doing privacy well builds customer trust; and that regardless of the role consent may play down the road, the need for openness and transparency isn’t going away anytime soon. 

I believe that with the right foundation, making the CPO – the subject-matter expert on and champion for privacy – more proactively visible in an organization’s communications can be a way to demonstrate more transparency and accountability, and that it has the potential to boost an organization’s credibility and help it stand out as privacy leader in the marketplace.

What does it take for a CPO to delve into the wonderful world of communications? Granted, every situation is different. It certainly depends on the maturity of their privacy framework and whether they’re confident the organization’s privacy is in good shape. If not, we suggest you consider getting your privacy “house” in order and nNovation can certainly help. It also depends on whether collecting and protecting personal information is a relevant aspect of the business model. It depends on the company’s communications policy and whether it’s open to a more decentralized approach and the CPO’s level of knowledge on the subject. And it certainly takes collaboration with communications experts – within or outside the organization – as well as proper planning, training and practice.

What form can this take? I’m not suggesting that the CPO needs to get out there tomorrow to pitch and grant interviews to the Globe and Mail on their company’s privacy practices or that the CPO should take over the comms function – we need to recognize that everyone has their role. What I am suggesting however is that with the right planning, the CPO may be the best person, as the subject-matter expert, to respond to certain media requests, pen a blog, submit an article to a trade publication, participate in a podcast, give a speech on the topic and even play a role in privacy-focused marketing. Exploring the potential of these activities with the company’s comms team can help ensure the CPO is well prepared with clear key messages, strategies for responding to challenging questions, and armed with best practices and things to avoid. In this world, let’s face it: almost everyone is a communicator to a degree. These are very transferable skills and in my experience it’s best to get your feet wet and not wait until something goes wrong to try to develop these muscles.

What about when things do go wrong? There can also be a role for the CPO in public communications, in the unfortunate event of a privacy breach. If the organization has done a risk assessment, collects personal information and has identified cyber security as a risk, the company likely has mitigation strategies in place. It’s important to remember that these should go beyond the technological ones. Breach preparedness is key to successfully weathering a breach, reputation intact. Building a communications strategy directly into that breach response plan is essential. Part of the equation is ensuring subject matter experts, like the CPO, are ready, willing and, most of all, able. Sure, there are certain occasions when the CEO will have to be the spokesperson and there are others when it might make sense for corporate communications to handle things. I would argue that in an era of openness and transparency, when privacy is paramount, considering a more proactive role for the CPO in communications and a public role in the event of an incident is a way to help establish trust and credibility – in either scenario. Are there risks associated with the CPO being out there?  Sure, but I’d encourage organizations to weigh those against the advantages, as well as the risks of not doing so.

I have spent more than 25 years as a communicator and 18 years in privacy. After a brief time in the culture and heritage sector, I came back to privacy not only because of the great importance of the issue, but because I think deeper links can be made between these two often separate ideas – communications and privacy – and I want to play a role in that. Privacy is sometimes seen as standing in the way of certain communications and marketing efforts. I’d like to concentrate on updating that narrative. If you look closely at the privacy principles, you’ll see that about half of them can be significantly advanced through effective communications. We can help organizations understand and implement communications strategies that will enable them better comply with privacy requirements on the front end, better respond publicly to privacy incidents when they do occur and ultimately contribute to better positioning them as the privacy-forward organizations they are… and can be.