Your Privacy Statement Is A Sales Document - On Data Privacy

Your Privacy Statement Is A Sales Document

Many businesses report their GDPR-driven data privacy and protection efforts leading to more sales and better relationships with their customers.

Others find their GDPR compliance has actually disabled their marketing efforts.

Which are you?

The truth is your data privacy management should enable good sales and marketing. After all, what is the point of having good data privacy if there’s no customer data to protect?

Anyone thinking GDPR was nothing more than an expensive, time consuming and confusing exercise without a positive outcome is wrong. If you’re not seeing an “upside”, whatever it is you’ve been doing needs to be reviewed and refreshed.

Because if you’re getting the protection, privacy, accountability, transparency and trust bits right, you can use them to enhance your ability to sell more, to more people and keep them as customers for longer.

Which is what every business wants. Right?

Based on simply looking at the numbers of emails I receive nowadays, it looks as though many businesses are struggling to re-enable their direct marketing.  Even those for whom I am a regular customer appear to have chosen to withdraw from using direct communication to encourage me to continue buying.  Is it possible that the confusion and conflicting advice about keeping your marketing working whilst observing the changes in regulation has frustrated you, annoyed you or sapped your confidence?  If this is the case, how do you go about putting things right?

You can start with this.

Your Privacy Statement Is A Sales Document

“But that’s not what it’s for!”

I know what you’re thinking. You’re thinking of the privacy policy you remember putting on your website last year and you’re either thinking something along the lines of, “oh no it isn’t” or, “but that’s not what it’s for!”.

A little background might help put this into context for you.

I became involved in managing data privacy in my role as a direct response marketer. Knowing that GDPR was coming, I enrolled on a course to discover more about it.

Very quickly it was clear to me that working in tune with the principles and upholding the rights given to customers meant I could use GDPR to build trust.

In my day-to-day work at the time, writing direct response sales copy, the first thing I was trying to achieve, after attracting attention, was trust.

When marketing any product, trust is incredibly hard to achieve.  Especially from a standing start.  Trust is the foundation of each sale you make.  Yet here was a regulation which didn’t just embrace trust, it was built in.  While everyone else was banging on about “compliance”, I was thinking about using this to generate trust.

Use the GDPR To Enable Your Sales & Marketing

If you read the wording of the articles and recitals of the GDPR it’s right there. Even the Article 29 Working Party (now the European Data Protection Board or EDPB) guidance on the preparation and use of a privacy notice could have been lifted straight out of a direct response marketing textbook. In effect,

“Use plain English, be clear and concise, don’t use word modifiers, be easy to find.”

(A “word modifier” is called a “weasel” in the sales copywriting trade – they are to be avoided because they are used to deliberately introduce uncertainty.)

Do as the GDPR suggests and you have a method of earning the trust of your sales prospects right there. Once you have earned basic trust, you can develop it all the way through to making a sale.

That’s right. Properly implemented GDPR can help you sell more stuff. Being frank and open about how you go about data privacy can help you to stand out in your marketplace.

Yet if you look at the websites for many businesses, you’ll see that Privacy Statements (or Notices), where they are available at all, are buried deep in the bowels of the footer on the home page. And they’re often called a, “Privacy Policy”.

A Privacy Policy Isn’t A Privacy Notice

Now, this is important. A Privacy Policy is not a sales document, it’s not even a Privacy Notice. Privacy Policies are supposed to be internal documents. They are used to guide your employees about how you define, manage and operate your data privacy and protection.  They often include legal jargon.  Not, by any stretch of the imagination, usable in your selling process. They are hard to read, they go on for EVER and they are utterly irrelevant to the task at hand.

Which is to INFORM your prospective customer.

(For the sake of clarity, a privacy statement is the same as a privacy notice, in that their intended reader is a data subject, usually a customer, sometimes an employee.)

Being informed is the first right your data subjects are given by the GDPR. Yet it is often missing from privacy policies, statements or notices.

If your business is to genuinely “uphold the rights and freedoms” of your data subjects, you need to tell them what you plan to do with their personal data when you collect it.  Only then can they make an informed choice about whether or not they want to let you borrow it.

Your Privacy Statement or Notice helps to inform this choice –  if you turn it into a window on your processing of personal data.  People can see you are serious about how their personal data is used if you are transparent and open about what you do with it.  If they approve of what you say, they will trust you enough to allow you to move on to the next stage.  Your first trust step is taken, the foundation of your relationship with your customer is established.

Flipping The Big Switch


Switch It On

Switch It On

You see your sales prospect has a default position when it comes to buying things and that is to keep their cash in their pocket.

Think of them as having a big switch controlling their buying behaviour. There are only two settings,

“Off”, which means “not for me” and,

“On”, which means, “for me”.


If you don’t take advantage of the opportunity to inform your sales prospect, the switch will stay firmly in the “off” position. “Not for me.”

Obviously, there’s more you need to inform them about than simply how good you are at protecting their personal data. You’ll want to inform them about what your product can do for them and the results they can expect to experience if they decide to buy from you.

However without trust being in place first, they probably won’t be listening.  The switch is off.

Unless you choose to try to overcome the absence of trust by making use of a kamikaze discount: 50% off!

The Kamikaze Discount

The Kamikaze Discount

Kamikaze discounts are all the rage amongst people who don’t understand how profit margins work. They may well attract new customers to your business in lieu of trust. Yet because your new customer relationship is based on “cheap” and not on “trust”, the sad truth is they’ll leave you for the next cheap offer. Unless of course you want to keep crippling your profit margins with endless cut price offers. How long can you keep that going for?

Remember the default position for that big switch is “off” – “Not for me”. Or in the case of a price cutting war, “Not buying from you.” as the customer slides from one cheap supplier to the next.

Make Use Of Instant Trust


Instant Trust

Instant Trust

You might already be able to see now how a properly prepared privacy management programme can help you to take advantage of the “instant trust” made available to you by the GDPR.

It is a small step, of course it is, but a critical one. This is the step which can overcome the inertia keeping that customer buying switch at “Off”.

Once the switch is moved to the “On” position, your customer is thinking about the next step of making a purchase. You will probably have several additional steps to take before you actually make your sale. Without that important first step, the switch will stay resolutely in the “off” position.

It is also worth pointing out this switch can flop back to its default “off” position at any time. You need to make sure the rest of your sales messages are designed to keep your sales prospect interested, which is much harder than it sounds. But it is made that little bit easier if your sales prospect actually trusts you. This trust being based on how you intend to behave towards the use of their personal data. In other words by offering them:

  • Clarity
  • Transparency
  • Accountability

Don’t Fall At The First Hurdle

So why do you make your privacy statement or notice so hard to find?

Well, if all you’ve got is a hideous privacy policy full of legalese, I can understand the desire to bury it as deep is it can go.

But if you’re trying to persuade someone to buy something from you, especially in this modern data economy, you need to encourage their trust.

Naturally, you can only build trust in your use of their personal data if you tell them what your plans are.  If you take the time to notify them in a way which they find relevant and easy to use.

Place the links to your Privacy Statement where it’s easy to find them.  Top level navigation would be good.  This needs you to go beyond “compliance”.  You need to turn this into a sales conversion argument.

Think about it. The most popular opening line used in privacy policy documents is this:

“We take your data privacy very seriously”

say most data controllers who actually don't...

If your prospective customer has just had to spend five minutes scrolling around trying to find the page containing this line, you might forgive them for being just a tiny bit sceptical.

Even more so if they are then faced with an impenetrable wall of text which they won’t read.  Yet which many websites insist on making part of what must be agreed to in order to complete a sale: “Click here to accept our Privacy Policy” – I’ve never understood why businesses feel the need to do this.  When you present a privacy notice you are informing them.  If your customers are going to respond positively, it will be to take the next step in your sales process.

Forcing acceptance of a privacy policy is utterly meaningless.  Your data subjects hold all the power nowadays.  You don’t.

If they can’t read or understand your privacy notice, they are not informed. Which isn’t a solid foundation for your marketing objectives, which should include, “keeping them for longer” and “selling them more”.

These last two factors are what makes customer personal data of value to your business. You only get to borrow personal data for as long as the data subjects (your customers in this case) will let you. It makes sense to use it to attract as much value as you can.

What Should A Privacy Notice Contain?

The Information Commissioners’ Office (ICO) in the UK provides guidance about what should be in your Privacy Notice. You can read about it here: Click here for ICO advice.

Information To Be Provided

The wording of the GDPR itself is crystal clear. You’ll find it in Article 13, which deals with the information you need to provide, “where personal data are collected from the data subject”.

It states that at the time when personal data are obtained you should provide the data subject with all of the following information:

  1. The identity and contact details of the controller and, where applicable, the controller’s representative.
  2. The contact details of the data protection officer, where applicable.
  3. The purposes of the processing for which the personal data are intended, as well as the legal basis for the processing.
  4. Where the legal basis is based on “Legitimate interest”, the legitimate interests pursued by the controller or by a third party.
  5. The recipients or categories of recipients of the personal data; where applicable the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the commission or… …reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

The GDPR continues, “In addition to the information referred to (above), the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:”

  1. The period for which the personal data shall be stored, or if that is not possible, the criteria used to determine that period.
  2. The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing or to object to processing as well as the right to data portability.
  3. Where processing is based on Consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before it was withdrawn.
  4. The right to lodge a complaint with a supervisory authority.
  5. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
  6. The existence of automated decision-making, including profiling, with meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.

This all seems like a lot of effort and you probably reckon nobody will read this sort of information anyway. Which is why you need to think about how you can present all this in a usable format.

The ICO suggests using a “layered” presentation and I think this is a good option for you in terms of your sales presentation.  There are now some really good template documents you can build yourself online.  What you need to be wary of is how you present your privacy information.

The last thing you want to do is go to all the trouble of getting someone interested in buying from you, only to be directed to a “privacy” page before they click on the buy now button. If you haven’t got the information arranged in an accessible and engaging way, some of them might not come back.

So it makes sense to answer the key questions on your prospects mind and do it “in line” as part of your ordering process. Don’t leave unanswered questions lying around.

Answer their important questions first, which will usually be:

  • Which items of personal data do you want from me?
  • What are you going to do with them?
  • Why do you need them?
  • Will you be sharing them?
  • Where they are going?  Will they be safe there?
  • How long are you going to keep them for?
  • How are you going to dispose of them?
  • Who am I really dealing with?

On a website, it is easy enough to make use of a tabbed, accordion or FAQ-style layout to present these questions and answers as succinctly as possible.

You could try something like this for example:


Privacy Notice

Who we are

We are On Data Privacy Ltd, the data controller.  For contact information please see our Privacy Centre.

The data we collect

We’re collecting your name and email address

Purpose and reason for processing

We will use your data to send you monthly newsletters by email, we can only do this if you provide consent for us to do so (by ticking the box below)

Data Sharing

Your data will be shared with our Email communication system based within the EU who act as a data processor in accordance with our instructions. Your personal data will not leave the EEA.

Retention & Disposal

We will keep your personal data for as long as we have valid consent from you. It will be deleted when you withdraw consent.

Your Rights

For more information regarding your rights or making a complaint, please see our Privacy Centre.

You might find this inappropriate or ungainly but all it’s doing is dealing with unanswered data privacy questions in the minds of your sales prospects.  You are being transparent.

If you don’t answer these questions, you might not make the sale.  Unlike many of your competitors who seem to want to put a guard up when it comes to transparency, which risks pushing sales away, you are going to use this to draw them closer. It’s all part of learning to take advantage of the modern data economy.

Steering The Sales Conversation

Answer the easy questions first and keep control of the sales conversation. When you need to refer to more detailed or standardised information, you can include links to your full Privacy Notice or Statement, where all the information about rights, complaints and full contact information can be found.

Remember, you need to actually do what you say in your privacy statement. If you raise an expectation you need to live up to it. Which is why forcing your data subjects to ferret around your website for five minutes to find a privacy policy page which tells them how serious you are about upholding their rights is a dangerous thing to do. Making a false or misleading statement about the reality of your data processing can get you into trouble.

So now you have collected personal from data subjects and they are either a customer of some sort or a “qualified lead” in terms of their membership of a marketing list. What happens next?

You can only make use of personal data on the basis of the data subject allowing you to do so. They have only loaned it to you. If you are to make use of it and extract some value from it, you need to uphold their rights over the use of their personal data.

What will happen when your customers start to invoke those rights?

Upholding Their Rights – the Subject Access Request (SAR)

You need to attach much more importance to this than simply plonking an email address into a web page for people to use to raise their subject access request. It may well be “compliant” in its most basic sense but you’re just asking for trouble in terms of managing your response.  You also risk letting that “buy?” switch return to its default position of, “not for me” if you don’t handle this properly.  Which could result in you losing the permission to process the personal data.  Which means lost sales.

If you are to keep the “buy?” switch in the “for me” position, you need to make Subject Access Requests easy for customers to use.  Make it difficult for them and the hard-won transparency becomes opaque, trust can be lost and the switch is closed again. Once closed, you have to start the process of building trust all over again.

Maintaining The Relationship

The Subject Access Request is part of your ongoing relationship with your prospects and customers.  Get this right and you can reduce losses of “permission” to communicate with them and the consequent loss of sales.  Ignore this and you’re telling your potential and existing customers all they need to know about whether or not they should still trust you.

So if you’re upholding people’s rights, you need to make it easy for them to raise a subject access request with you.  If you look at GDPR and data privacy positively, you’ll see all this as an opportunity to answer a question, to take ownership of the relationship with your customers. If you stopped paying attention as soon as you thought you had achieved basic “compliance” with the GDPR, it could be you have a less customer-centric approach.

Either way, the SAR – and your response to each one – is a potential minefield for small, independently owned businesses.  It is also your opportunity to quickly establish control of the conversation with your data subjects.  If you have a manual process for handling this, all credit to you. You’re doing better than many. However I think we can improve on it for you.

How To Handle Subject Access Requests

Enter Tap My Data. It’s an app which gives you the means to handle Subject Access Requests made to your business. Your data subjects can access it easily using their smartphone. It handles the tricky subject of data subject authentication and gives you the means to “triage” your access requests so you are in control. Enabling you to identify the requests made about real data subject rights problems and focus on those. It’s the solution to the problem you didn’t know you had.

Tap My Data

Tap My Data

You have one month to respond to each subject access request. Tap My Data keeps you well within that deadline.

Which means your customer facing staff can focus on what your customers need. If they have questions about personal data and invoking their rights, with Tap My Data you have an effective means of dealing with them efficiently. If you are able to respond positively to subject access requests, you can keep that “buy?” switch in the open position and move on to keeping those customers satisfied for longer. Building that trusting relationship, selling them more and increasing the value of the personal data your customers have let you borrow.

Yes I know there are lots of caveats and conditions regarding whether you really need to respond to a particular SAR in a particular way. However instead of arguing the toss with every single request, wouldn’t it be refreshing to just answer the question and get on with it?

Let’s face it, getting into an argument with every single access request isn’t going to win you many friends.

Being customer focused, accountable and professional all at the same time won’t do the public perception of your business any harm at all.  Obviously, data subjects can use apps like this to hold data controllers to account.  If this is the kind of tool a private individual can easily deploy to test your accountability, you probably want to be matching them with capabilities of your own.


Use privacy notices as a sales letter, transparency as the attitude towards your customers, accountability as your standard business approach to data privacy. Prove you are upholding those rights every day as part of the natural rhythm of your business and you’ll be rewarded with trust.

And as an old direct marketing copywriter told me many times, “trust means sales”.