Article 5 of the General Data Protection Regulation establishes a number of principles data controllers must comply with in order to be transparent when processing data. Essentially, controllers must process data:
"lawfully, fairly and in a transparent manner in relation to the data subject."
By making data processing transparent, the GDPR aims to cultivate trust between data subjects and controllers.
The GDPR does not offer a definition of transparency. However, in the context of data processing, it does provide guidance about the meaning and effect of transparency.
Their guidance states that the collection, use, consultation and processing of a individual's personal data should be transparent to them. But how you achieve this transparency is down to you.
Transparency requires any information and communication relating to the processing of personal data to be easily accessible and use clear, plain language which is easily understood.
Privacy notices are the most common way to provide information to data subjects. The term privacy notice describes all the privacy information that you make available or provide to individuals when you collect information about them.
The GDPR states that the information you provide to people about how you will process their personal data must be:
The starting point of a privacy notice should be to tell people:
These are the basic points all privacy notice should include. However, privacy notices can be more comprehensive and supply even more information. When thinking about what information to share just consider, "If I don't share this information will my processing still be considered fair?" Processing could become unfair if, for instance, the individual is unlikely to know that you use their information for a particular purpose.
To help you decide what information should be included, the ICO recommends you map how information flows through your business, and examine how you process it. Establish:
If you need an individual's consent, you must think about how you will obtain and record it. In many cases it will be enough to be transparent, and to rely on a legal basis other than consent. However, in most cases a positive indication of an individual's agreement will be required. In cases where you are relying on consent, your method of getting this consent should:
Also, if you are processing data for a range of purposes you should explain every way you are planning on using it. You should also provide a clear and simple way for individuals to indicate their agreement to different types of processing. People should not be forced to agree with several kinds of processing simply because your privacy notice only gives the option to agree or disagree with all.
Depending on your circumstances it could be a good idea to go beyond basic legal requirements. For example, you can tell people:
Also, you must consider another set of guidelines if you want consent for direct marketing.
Feel free to take a look at our privacy notice here to get some insight into what it should contain.
Transparency is about engendering trust in the processes which affect a data subject. Transparency should enable them to understand, and if necessary, challenge those processes.
After reading this it should be transparent to you that the complexities of the GDPR require expert guidance.
Get in touch with our team at 01787 388038 or email us at email@example.com
Our News & Blog
Why does tone of voice matter?
How to write a useful FAQ page
What is link building, and why is it important?