Transparency is not a new data protection concept, nor is it specific exclusively to EU law. It is about being open towards the individuals about processing of their data. However, insufficient transparency and, thus, inadequate measures to ensure that data subjects maintain control over their data, remains a special concern to EU lawmakers. For this reason, the GDPR puts strong emphasis on transparency and enhances the scope of information to be provided to the data subjects.
Such information is generally to be provided in writing or by appropriate means, as electronically. Oral communication is possible, when requested by the data subject, but as it requires that the identity of the data subject is proven by other means, this is expected to be used only on rare occasions.
The exact scope of the information may vary, depending on circumstances, including whether the data were obtained from data subjects or from data sources, but generally the data subject must be informed one way or the other about:
- who is the controller and what are its contact details;
- what are the contact details of a data protection officer, if such officer has been designated; categories of personal data processed;
- source of the data; purposes of the processing; legal basis thereof and interests pursued by controller or third party, where relevant;
- whether providing data is a requirement, why and what are the consequences of not providing;
- recipients or their categories;
- retention periods or, when not possible, criteria for their determination;
- rights of the data subjects, including: access to, rectification, erasure, data portability, right to object, withdraw consent, restriction of processing, right to lodge a complaint with supervisory authority;
- transfers of data to third countries or international organizations and about appropriate safeguards and how to obtain copy thereof;
- automated decision-making, including profiling, which produces legal effects or has a similar, significant impact on individuals, about the logic behind it and its consequences to the data subjects.
The list is very long and a practical question would be how to adjust your current communication towards data subjects to be GDPR ready. Adding few sentences to existing privacy notices may seem as a most obvious reaction to address the new requirements, but is it the right solution?
Unfortunately, this is by far not so simple.
Like with many other issues, the point of the GDPR is to make privacy work in an effective way, and not to create long and complicated documents, impossible to comprehend in less than few hours.
Therefore, while the list of information items to be provided to the data subjects substantially grows (refer to Articles 13 and 14 of the GDPR), such information will need to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language (refer to Article 12 of the GDPR).
What also needs to be borne in mind: This is not only about providing a list of rights and details of processing to the data subjects, this needs to be explained with all relevant specifics as to why, how, when, who, etc.
This is even harder, considering that many of the rights of data subjects are dependent on existence or lack of existence of certain circumstances. In particular, data portability and right to object will not always be relevant, and it may likely happen that for the same individual it will vary depending on the category of data. Withdrawing consent, of course, will only be relevant if the consent was given in the first place. Restriction of processing and right of erasure will also depend on the circumstances as this are not absolute rights. This is not all and it is practically not possible that such a long list, dependent on many specific circumstances, will not change during the course of your relationship with the data subject, be it your customer, employee or contractor.
So is it doable altogether to provide all this information in an easy to understand way? Yes and No.
No, if you follow traditional, old ways, by providing some kind of one-size-fits-all privacy statement. In such situation, provisions of the GDPR may seem to be a contradiction in terms, as you need to provide more information, yet in a concise and reader-friendly form.
Yes, if you take proactive approach and implement tailored communication with particular data subjects into your business operations.
How to do this in practice?
Use different forms of communication, preferably providing some general, easier to comprehend explanations, why making relevant details clearly available.
Some of the guidance on how to communicate privacy in user-friendly form is already there.
We still do expect the Article 29 Data Protection Working Party to issue some guidelines on this subject, but advice provided by the GDPR-updated ICO code, "Privacy notices, transparency and control," will still be very relevant.
Layered information notices, using e.g. "hover over" functionality, as well as machine-readable icons and symbols, are some of the ways to provide meaningful, yet easy to grasp information. This could be supplemented by opt-in and opt-out boxes, where relevant, and responsive web design.
Using videos and just-in-time notices could support your efforts in ensuring transparency by effective communication. Addressing the needs of people with visual impairment or other disabilities, must also be considered. No doubt there are, however, many techniques to augment you with this.
With paper, traditional notices, highlighting most relevant privacy essentials at the beginning and only later going into more complicated details, seems most logical. Parts of the text should be clearly separated, so each relevant information is clearly distinguishable from the other matters.
Is it enough then, just to use effective communication tools and provide layered information using plain language?
Well, not really. It seems that more tailored approach is still needed. This means that solutions and procedures should be designed and developed in order to be able to present the data subject with concrete information on her/his personal data and not just on how you handle data in general. Such tools and procedures, obviously, are needed anyway, in order to provide the data subjects with effective access to their data.
This means that you should to be prepared to extract, or otherwise generate, for every data subject, a tailored information which will need to be updated throughout the life cycle of the data. In this way, data subjects will be aware in the given time, what happens with their data and what period of retention is still envisaged. Following the principles of data protection requires you to take efforts, over time, in order to minimize the scope of data and the scope of their recipients. Whenever relevant changes take place they should be communicated to the data subjects. Therefore, privacy should be part of your standard communication with the data subject and not something exceptional.
There are many ways to do it nice and easy, depending on business model and the software used for processing of personal data. Preferably, however, user-friendly interfaces and easy-to-use dashboards should be in place. In most cases it will be much easier to implement such processes with regard to structured data sets and unstructured data sets will call for some additional effort. Such interfaces and dashboards could be for internal use, allowing staff to access relevant information and communicate it to data subjects, or they could be directly available to the data subjects.
It can be reasonably expected that this will become, in one form or the other, off-the-shelf solution in the nearest future for any new software tools intended for processing of personal data.
Whenever feasible, allowing the data subjects to directly access the data, modify their privacy settings and download their data in a portable format, seams to be most privacy-friendly solution. It will not always be possible, though, and security risk factors will need to be considered.
Keeping the data subjects informed is not one-off task. This should be seen as a continuous process, which needs to be integrated into day-to-day operations. Irrespective of whether you use dedicated tools, simple extraction techniques, or compile such information manually, as the relevant circumstances tend to evolve, the data subject will need to be well informed throughout the life cycle of their data and not just once. "GDPR consent guidance," reiterates this. Consent is a dynamic part of ongoing relationship of trust with individuals and not one-off compliance box to tick and file away, therefore, it needs to be reviewed and refreshed as appropriate. This seems to be also a very relevant remark with regard to transparency in general and privacy notices. Soon, it may also be considered as one of the reasonable expectations from the data subjects, that they are provided, from time to time, with a refreshed notice.
Such approach is also beneficial to your privacy framework and for maintaining control over the data you have, as it plays well with record keeping and data mapping. Other business advantages will likely follow.
Successful and continuous communication with your customers, employees and various stakeholders, should not be seen as an onerous burden, but as an excellent opportunity to make foundations of your company stronger in the long term.
If you want to comment on this post, you need to login.