Transparency is one of the guiding principles of the new General Data Protection Regulation (GDPR), that is coming into play in May 2018.
Data subjects, your audience and consumers, will have the right to know what’s happening to their data and who has it.
Article 5 of the General Data Protection Regulation establishes a number of principles data controllers must comply with in order to be transparent when processing data. Essentially, controllers must process data:
“lawfully, fairly and in a transparent manner in relation to the data subject.”
By making data processing transparent, the GDPR aims to cultivate trust between data subjects and controllers.
But what does the GDPR mean by ‘transparency’?
The GDPR does not offer a definition of transparency. However, in the context of data processing, it does provide guidance about the meaning and effect of transparency.
Their guidance states that the collection, use, consultation and processing of a individual’s personal data should be transparent to them. But how you achieve this transparency is down to you.
Transparency requires any information and communication relating to the processing of personal data to be easily accessible and use clear, plain language which is easily understood.
How can I demonstrate transparency?
Provide Privacy Notices
Privacy notices are the most common way to provide information to data subjects. The term privacy notice describes all the privacy information that you make available or provide to individuals when you collect information about them.
The GDPR states that the information you provide to people about how you will process their personal data must be:
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language, particularly if addressed to a child
- Free of charge
The starting point of a privacy notice should be to tell people:
- Who you are
- What you are going to do with their information
- Who it will be shared with
These are the basic points all privacy notice should include. However, privacy notices can be more comprehensive and supply even more information. When thinking about what information to share just consider, “If I don’t share this information will my processing still be considered fair?” Processing could become unfair if, for instance, the individual is unlikely to know that you use their information for a particular purpose.
Map the flow of information
To help you decide what information should be included, the ICO recommends you map how information flows through your business, and examine how you process it. Establish:
- Which pieces of information you hold are personal data.
- What you do with the personal data you have.
- What you actually need to carry out these processes.
- If you are collecting derived or inferred data about people – are you profiling them?
- Whether you will be likely to do anything else with the data in the future.
If you need an individual’s consent, you must think about how you will obtain and record it. In many cases it will be enough to be transparent, and to rely on a legal basis other than consent. However, in most cases a positive indication of an individual’s agreement will be required. In cases where you are relying on consent, your method of getting this consent should:
- Be displayed clearly and prominently.
- Ask individuals to positively opt-in.
- Supply enough information for the individual to make a choice.
Also, if you are processing data for a range of purposes you should explain every way you are planning on using it. You should also provide a clear and simple way for individuals to indicate their agreement to different types of processing. People should not be forced to agree with several kinds of processing simply because your privacy notice only gives the option to agree or disagree with all.
Go the extra mile
Depending on your circumstances it could be a good idea to go beyond basic legal requirements. For example, you can tell people:
- The consequences for not providing information.
- What steps you are taking to ensure the security of personal information.
- Information about individuals rights to access their data.
Also, you must consider another set of guidelines if you want consent for direct marketing.
Feel free to take a look at our privacy notice here to get some insight into what it should contain.
What will the impact of greater transparency be?
Transparency is about engendering trust in the processes which affect a data subject. Transparency should enable them to understand, and if necessary, challenge those processes.
After reading this it should be transparent to you that the complexities of the GDPR require expert guidance.