coffee mug

The GDPR and Plain Language: What You Need to Do to Comply

4 minute read
Fergal McGovern avatar

When the General Data Protection Regulation (GDPR) goes into effect in May 2018, any organization doing business with EU citizens will be impacted.

The regulation sets out a number of requirements which businesses must fulfill in order to comply, including transparency in all in customer communications.

In fact, the regulation includes seven separate references to “clear and plain language.”

Here’s one example:

"The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used."

What This Means for You

Companies must state in ‘clear and plain language’ how they will handle data, for what purpose and by whom. For example, if a company holds data related to children, then the reading level of the content must be accessible for those children.

Here’s what the regulation says:

"Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand."

Companies must test all privacy policies and related content for clarity. In this article, we’ll look at how you can test content.

Clarity and Readability: Where Does Your Text Fall?

Well-established readability tests can provide one means to testing your language. The two most widely used are the Flesch Reading Ease Index and Flesh-Kincaid. They score reading difficulty using two factors: average number of syllables per word and sentence length.

  • The Flesch Readability score is a number between 0 and 100. The higher the score, the easier the text is to read
  • Flesh Kincaid is similar. It approximates the number of years of education required to easily understand the content. The lower the grade level, the easier to read.

The following helps to understand the score for Flesch Reading Ease:

  • 90-100: Very Easy
  • 80-89: Easy
  • 70-79: Fairly Easy
  • 60-69: Standard
  • 50-59: Fairly Difficult
  • 30-49: Difficult
  • 0-29: Very Confusing

How Do You Score Your Content?

Free and paid options are available to score content. To test the state of current web content, we used a free tool to analyze  privacy statements from five companies operating in the UK:

  1. AIG’s privacy policy:
  2. BNP Paribas’s privacy policy:
  3. Amazon’s privacy policy:
  4. Siemen’s privacy policy:
  5. And a document called Siemen’s ‘Binding Corporate Rules (“BCR”) – summary of 3rd party rights’.

The clarity results showed a readability score range between grade 11 (Siemen’s privacy party) and grade 19 (Siemens BCR.) In other words, you would need 19 years of education to easily understand the Siemens summary of third party rights.

The sites received poor marks for long sentences, passive voice and high word counts. Without exception, each of these companies need to rewrite their privacy statements in clear and plain language. Otherwise they will fall afoul of the GDPR.

How You Fix Your Content

The first step is to break down the content to see the troublesome areas. Here is an extract from the AIG privacy policy:

Learning Opportunities

Below we flag very long sentences, passive voice, adverbs and hidden verbs.

AIG Privacy Policy extract

Imagine a person with disabilities reading this. Or someone with only a high school level education. Or a person without English as a first language. Or a child.

And it takes a few reads to understand. Here’s the sniff test: try reading it aloud. If you understand it after one read, it’s clear. If not, it needs editing. Even with the most technical subject matter, it is always possible to simplify. Think of this as “fatty language.” We need to put it on a diet.

Here’s a simple rewrite of the first statement:

Before: Occasionally, the personal data we collect from you may be processed in (including accessed in or stored in) a country or territory outside your home country, including outside the European Economic Area ("EEA"), which does not offer the same level of protection of personal data as may be enjoyed within your home country.

After: We may process your personal data in a country which is outside the European Economic Area ("EEA"). Countries outside the EEA may not protect your personal data in the same way as your home country does.

The revision did not dilute the meaning or lose any legal impact, but reduced the word count and removed the passive voice.

This technique of splitting sentences, removing passive voice and editing out ‘fatty language’ dramatically improves readability.

Most importantly, it allows you comply with your GDPR plain and clear language obligations. And that’s a big deal.

About the author

Fergal McGovern

Fergal McGovern is the Founder and CEO at VisibleThread. Fergal’s mission is to make business communications clearer.

About CMSWire

For nearly two decades CMSWire, produced by Simpler Media Group, has been the world's leading community of customer experience professionals.


Today the CMSWire community consists of over 5 million influential customer experience, digital experience and customer service leaders, the majority of whom are based in North America and employed by medium to large organizations. Our sister community, Reworked gathers the world's leading employee experience and digital workplace professionals.

Join the Community

Get the CMSWire Mobile App

Download App Store
Download google play