Under the GDPR, data controllers are tasked with communicating to data subjects how their data is processed in a way that is both concise and transparent. From a consumer-protection perspective, this is undoubtedly one of the regulation’s more commendable requirements; as many who have drafted website privacy policies understand, there is often tension between the twin goals of concision and transparency. Providing fully transparent disclosure about data-processing activities, while keeping such disclosures brief and easily readable, can be a tricky balance to strike.
One question the GDPR may prompt is whether it makes sense for an organization to maintain separate residency-dependent privacy policies, or a single, all-encompassing policy. There are pros and cons to each, and what works best for a particular organization will often depend on the operational impact of each, as well as the usability of each by the relevant data subjects.
The Multiple Privacy Policies Approach
Organizations that treat data-subject information differently depending on its origination point, or that opt not to extend the enhanced protections offered under the GDPR to non-European data subjects, may prefer to maintain separate residency-dependent privacy policies.
In this instance, the benefit is that each policy can be tailored, and made fairly concise and readable, as it is not “cluttered” with terms that are irrelevant to the user. Some organizations may also favor this approach if they prioritize making as few disclosures as required by local law and are concerned that a GDPR-compliant policy would cause operational headaches if applied more broadly.
This approach is generally simpler for data subjects to navigate, as no decisions need to be made about which policy may apply. It also may be easier to administer, as it would have fewer distinctions between how personal data is treated, depending on its country of origin. For these reasons, it’s the more popular choice as of the date of this blog posting.
The drawbacks to this approach are that the single policy will be longer than the more tailored multiple policy approach, as it will include potentially irrelevant terms specific to certain residents. Some organizations also reject it because they prefer not to exceed the minimum amount of disclosures required by local law.
Your Organization’s Approach Depends on Its Data Security and Privacy Culture