How did a free bottle of wine shine a light on the relevance of GDPR privacy rules for SMEs?

In light of the free wine experiment, is it time to ditch some of the small print altogether, or at least for businesses of a certain size/type?‍

"Preferably, yes! But sadly this isn’t always possible, as businesses of all sizes (rightly) have legal obligations to keep their customers informed about how they are using and protecting their personal information. Particularly with the ever-growing threat of cyber-crime, that is something that all businesses need to have a handle on, whatever their size. The complexity will depend on what personal data, and for what purpose, the business is processing – look at Meta’s reams of policy information!

"However, businesses do have obligations to make the information accessible, especially when services are aimed at children. There are some great examples of simple policies online, but putting the work in to create a document that’s bespoke, engaging and simple is often time-consuming – it can often mean having multiple versions of your terms, aimed at different ages of reader or for different services (an SME might, for example, have a separate privacy policy for job applicants vs users of their website)."

How much does complying with every aspect of GDPR cost SMEs, in time and money?‍

"There’s no one-size-fits-all here. It really depends on the business, what data they use and their internal resources. We are lucky in the UK that our data protection authority, the ICO, puts out a wide range of materials to help SMEs (including template privacy notices), but these can still be difficult to navigate for someone just learning about these requirements for the first time and (generally speaking) the complexity of the legal compliance obligations turn on the type and quantity of personal data the business processes (and who it shares this with), not on the size of the business.  

"An SME that just wants to provide a website, and potentially collect contact information of engaged, consenting customers, likely doesn’t have too much to worry about, and could “do it themselves” with in-built tools from their web developer for cookie consents and resources available online, as well as leaning on their own providers. However, as more complexity is added, usually experts should be involved to ensure a compliant approach."

What is the average number of words in each policy and how long would it actually take to read one?‍

"A study from De Montfort University concluded that the average had increased to around 4,000 words by 2021, which would take someone around 15 minutes to read.

"The ICO’s template is just 900 words, so a page or two. Meta’s runs over several layered documents, and could constitute a (very dry) novella, albeit they have invested in explanatory video content and a more accessible layered approach. It’s highly unlikely a customer could read all of the privacy documents they’re given from each social media platform, connected device and the myriad of other technologies they engage with, so companies directing consumers through links to the information they need is vital.

"Perhaps even more importantly, though, the exercise of writing the privacy policy requires a business to understand its use of personal data, and map that out in a relatively comprehensible way. That might often feel like overkill - until a serious data breach occurs and the ICO comes knocking."

An extract of Andrew's comments was published in The Telegraph, 13 May 2024.