You wouldn’t let your lawyer write your branding and marketing material, wouldn’t you?
So, why is that that you offload to them the task of writing your privacy policy?
The regulation wants you to inform people.
Do it when you are harvesting their personal data.
The goal is to inform people, so they can make an informed decision about using your service or not.
And the regulation stated it black on white: it must be written in clear and plain language, easily understandable by an average person.
This rule was designed explicitly to avoid legal jargon.
Why would you ask a professional not to do what its trade ask her to do?
Consider your privacy policy as UX, marketing and trust building content.
You want your customers and users to understand what you’re doing with their data and to trust your company that it will take great care of it.
Telling people what you do with their data is part of the user experience.
The guidelines published by the EDPB recommend that this information should not only be available as a separate page but also at the ready whenever you’re asking a tidbit of personal data.
You can do it through layered, contextual, just on time UI. Check this page of the ICO for detailed examples
Your privacy policy and notices are here to reflect how you do business; as much as any transactional email, micro-copy in your form.
And the same person in your organization who writes emails and copy should also write your privacy notices and policy.
As with any enterprise content, this is a constrained exercise in that there are mandatory parts:
- who is the contact, and the DPO as well if any
- the purpose of the processing
- if a transfer outside EU occurs,
Legal persons can review but should not write a privacy notice
Of course, have it reviewed by your prefer legal person if you wish so, but don’t let them write it.
From my experience, the result is never on par with the rest of your contents and UX.
And worst, the habit of jargon shows in every sentence.
Oh, and also while articles 12-14 in the GDPR tell you which information to put in your privacy page, this page is not a copy/paste of said article.
This practice is not useful in any way, and it screams that your claim to be GDPR compliant is a thin varnish over utter crappy behavior.
The providers' list I maintain gives you links to privacy policies pages, so you can rapidly sift through a lot of examples.
However, since this list is getting quite long, I’ll give you some good example you may want to look at, to understand what a useful privacy policy should look like.
The one from ConvertKit
The one from Product Hunt
And last, the one from Transferwise
Now, go to find your most trusted copywriter and your UX designer and have them review all the places where you are collecting personal data and ask yourselves if you are providing the right information, in a plain language in accessible form.