GDPR & Plain Language – How To Be Compliant
GDPR (General Data Protection Regulation) applies to all companies operating within the EU. US and international companies with an EU customer base must also comply. The mandate becomes law on 28th May 2018, and non-compliant companies risk forfeiting between 2%-4% of top line revenue. One of the core requirements of the GDPR is transparency using clear and plain language.
In fact, there are 7 separate references to ‘clear and plain language’ in the regulation.
Here’s one example,
The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
What does this mean for you?
Companies must state in ‘clear and plain language’ how they will handle data, for what purpose and by whom. For example, if a company holds data related to children, then the reading level of the consents must be accessible for those children.
Here’s what the regulation says:
Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
Companies must test all privacy policies and related content for clarity. In this article, we’ll look at how you can test your privacy statements and related content.
A little about Clarity and Readability
First off, the good news is that there are well established readability tests. The two most widely used are the Flesch Reading Ease Index and Flesh-Kincaid. They score reading difficulty using two factors; average number of syllables per word and sentence length.
- The Flesch Readability score is a number between 0 and 100. The higher the score, the easier the text is.
- Flesh Kincaid is similar. It approximates the number of years of education required to easily understand the content. The lower the grade level, the easier to read.
The following table helps to understand the score for Flesch Reading Ease:
- 90-100: Very Easy
- 80-89: Easy
- 70-79: Fairly Easy
- 60-69: Standard
- 50-59: Fairly Difficult
- 30-49: Difficult
- 0-29: Very Confusing
How do you score your content?
There are a few options available. For example, MS Word has both scores built in. That’s useful as you can see how difficult a document is.
But, MS Word does not score down to the paragraph level. So, you can’t easily see which paragraphs have issues, making it hard to fix.
For our analysis, we used VisibleThread Readability. It’s a lightweight readability tool for Doc, Web and Text analysis. The nice thing is that it flags issues at paragraph level & it’s free. There is also a paid version which generates some nice reports. But we were fine with just the free version for this analysis.
We analyzed privacy statements from some companies operating in the UK:
- And a document called Siemens‘s Binding Corporate Rules (“BCR”) – summary of 3rd party rights’.
Here are the Clarity results:
Some quick takeaways:
- Readability – The grade level ranges from grade 11 to grade 19. So, you would need 19 years of education to easily understand the Siemens summary of 3rd party rights — the equivalent to an advanced 3rd level degree.
- Word Count and Spread of Content – Of the 4 companies, 3 have more than 2,500 words. The exception is Siemens at 554 words. But remember, Siemens published an auxiliary document that contains 3,711 words.
- What drives poor readability? When you look at the Siemens doc, 69% of sentences are long. Long means containing more than 20 words. The average sentence length is a whopping 33 words. These characteristics make the content very dense. The score for passive voice is high at 48%.
Based on this sample set, these companies need to rewrite their privacy statements in ‘clear and plain language’. Otherwise they will fall foul of the GDPR.
How do you fix the content?
In this report, we flag very long sentences, passive voice, adverbs and hidden verbs. VT Readability color-codes the issues, so it’s very simple to diagnose and fix.
Imagine the person reading this is a child or has a disability. The person reading this might be someone with only a high school level education or English might not be their first language. Intuitively, we can tell it’s too complex.
Now even with the most technical subject matter, it is always possible to simplify. Think of this as ‘fatty language’. We need to put it on a diet.
Here’s a simple rewrite of the first statement.
In this rewrite, we:
- Reduced the word count from 53 to 36,
- Replaced 2 instances of active voice to passive voice,
- Removed 1 hidden verb (‘protection’ became ‘protect’) and
- Removed 1 adverb.
We did not dilute the meaning or lose any legal impact.
Comparing the before and after versions, we see dramatic improvement:
This technique of splitting sentences, removing passive voice and editing out ‘fatty language’ improves readability.
Most importantly, it allows you comply with your GDPR plain and clear language obligations. And that’s a big deal.
- The GDPR (General Data Protection Regulation) mandates clear and plain language for any company operating in the EU. It becomes law in May 2018.
- Non-EU companies operating in the EU also fall under this regulation.
- We analyzed four privacy statements for companies operating in the EU. These ranged from AIG to Siemens. All were non-transparent and failed to use clear and plain language.
- You can easily score content for plain language by using tools like VisibleThread Readability. These tools provide instant reports on problematic content and suggest fixes.
- Not only can you use tools like this for privacy related content. You can use them for any subject matter, scoring the clarity of product brochures, blogs, content marketing materials and more.