News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Top 10 Operational Responses to the GDPR – Part 6: Transparency and privacy notices Related reading: Top 10 Operational Responses to the GDPR – Part 5: Preparing and implementing data-retention and record-keeping policies and systems

rss_feed

""

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation.

This sixth installment in the 10-part series explores the transparency requirements of the GDPR and practical ways in which organizations can go about meeting them, focusing on privacy notices. The first five installments of the series, addressing data mapping and inventory, legitimate bases for data processing, data governance systems, data processing risks, and data retention and record-keeping, can be found here.

Informing data subjects about processing

Perhaps the most common privacy practice followed globally is the familiar “notice and choice” paradigm, which typically involves a statement on an organization’s website explaining its data processing and security practices and the opportunity (in theory) for consumers to avoid those practices. “Choice” has involved, at least, the opportunity not to share data with the organization by not doing business there. Notice is sometimes accompanied by an opt-in option, though opt-outs are also common.

The GDPR term for “notice” is transparency, and it is a central theme of the Regulation. Part of the core principle of accountability set forth in Article 5 is the requirement that “personal data [be] processed in a transparent manner in relation to the data subject.” As set forth in Recital 60, transparency allows data subjects to be informed of the existence and purpose of any processing activity involving their data. Transparency is also about engendering trust in the processes that affect data subjects “by enabling them to understand, and if necessary, challenge those processes." 

Required disclosures

Articles 13 and 14 of the GDPR and associated guidance from the European Commission give the specific information that must be disclosed to data subjects and the required time of disclosure. Which article applies depends on how the data controller comes to possess the personal data. If from the data subject directly, then Article 13 applies. But if the controller receives personal data from a third party – say, by purchasing a list of potential leads or by sponsoring an event and getting the attendees’ names from the event host – Article 14 spells out how and when disclosures should be made.

Taken together, however, the types of information that must be disclosed are similar in both articles. Controllers will need to have a privacy notice – discussed below –that is prominently visible on their websites and available by link in commercial email communications with data subjects. Those communicating with data subjects whose contact information was provided by others may also want to place the information in the body of the first email communication, but at a minimum should include a link to their website’s privacy notice. Finally, much of the information required to be disclosed is similar to what will be needed if a data subject exercises a right of data access, so the transparency disclosure may be used in a variety of different places and contexts.

When data is obtained directly from a data subject, Article 13 requires that disclosure occur “at the time when personal data are obtained” and include:

  • The identity and contact details of the controller and, where applicable, the controller’s representative, as well as the contact details of the controller’s data protection officer.
  • The intended purposes and legal basis of the processing. This information should already be available from the data mapping and inventory exercise conducted early in the GDPR compliance process, but should be explained in plain and unambiguous language in the privacy notice.
  • If applicable, the legitimate interests pursued by the controller or by a third party. This reflects the lawful basis analysis the organization has conducted pursuant to Article 6.
  • Data mapping and inventory as well as Article 30 record keeping efforts will inform the following required transparency disclosures:
    • The recipients or categories of recipients of the personal data.
    • Any transfers of personal data to a third country or international organization and the existence or absence of an adequacy decision for such a transfer, or reliance on Articles 46 or 47, or Article 49(1), as well as references to the appropriate or suitable safeguards.
    • The period for which the data will be stored or the criteria used to determine that period.
  • A description of the existence of the right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing and the right to data portability.
  • If the processing is based on consent, an explanation of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • A description of the right to lodge a complaint with a supervisory authority.
  • Whether the provision of personal data is required by statute or contract, or is a requirement necessary to enter a contract, whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide such data.
  • The existence of any automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

If a controller intends to process already-collected personal data for a purpose different than the one disclosed when the data was collected, it must inform the data subject of the new purpose, and provide any relevant further information, prior to the new processing. 

Under Article 13, controllers are exempted from disclosure requirements only “where and insofar as the data subject already has the information.” Companies that wish to make use of this exemption should take care — the Article 29 Working Party notes that controllers must document what information a data subject has, how and when it was received, and that no changes have occurred that would put it out of date. Such documentation could be a feature of comprehensive Article 30 record keeping.

When data is obtained from a source other than the data subject, Article 14 requires that controllers meet the same disclosure requirements described in Article 13, and additionally disclose: (a) the categories of personal data concerned in the processing; and (b) the source from which the personal data originated, including whether it came from publicly accessible sources. This must be done “within a reasonable period after obtaining the personal data, but at the latest within one month,” except when the controller communicates directly with the data subject or passes along the information to yet another third party, in which case disclosure must occur right away.

Controllers subject to Article 14 have more exceptions from disclosure than those subject to Article 13, although the Working Party cautions that the exceptions should be interpreted narrowly. Exceptions include the data subject’s prior possession of the information; impossibility of or disproportionate effort in disclosure (such as when personal data is acquired for scientific or historical research purposes or statistical purposes), in which case a publicly available privacy notice should suffice; when member state law provides otherwise; or where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or member state law, including a statutory obligation of secrecy.

For example, historical researchers who have obtained a large dataset collected 50 years ago, which has not been updated since, and does not contain any contact details for data subjects, might qualify for the “disproportionality” exception. A professional secrecy exemption might apply when a bank does not inform an account holder that the bank has passed data to a financial law enforcement authority, in compliance with an anti-money laundering statute making such a “tip-off” a crime. Even in the latter scenario, to comport with transparency principles, the bank should provide “general information” to all new customers that their data may be processed for anti-money-laundering purposes.

Crafting a GDPR-compliant privacy notice

Pursuant to Article 12(1), as well as Recital 39 and Recital 58, privacy notices should be concise, transparent, intelligible, easily accessible, and easy to understand, using “clear and plain language, and where appropriate, visualization.” If the processing relates to a child, the disclosure should be easily understandable by the child. 

The WP29 suggests that compliance with the intelligibility requirement should be regularly checked to ensure that “the information/communication is still tailored to the actual audience” and that user panels could provide an effective mechanism for doing so. “Hall tests” or live user trials should be conducted and documented in advance of processing “going live.” The WP29 cautions against the use of overly complex sentence and language structures, and warns organizations not to phrase policies in “abstract or ambivalent terms, or leave room for different interpretations,” particularly regarding the purposes of and legal basis for the processing of personal data. Organizations are specifically encouraged to avoid using the passive voice or indeterminate qualifiers like “may,” “might,” “some,” “often,” and “possible.” Guidance on creating specific and informed consent may be useful in the broader transparency context, particularly in regard to the intelligibility requirement.

Notices can be presented to data subjects in written form, orally, or in an electronic format, where appropriate. Web-based privacy notices should be clearly visible on each page of the website under a commonly used term such as “Privacy Notice” or “Data Protection Notice.” A website’s layout and format must not be manipulated to make privacy disclosures more difficult to find — for example, altering the size or color of a privacy policy’s hyperlink to make it more challenging to locate will violate the requirement of accessibility.

For the collection of personal data via apps, the Working Party advises that transparency requirements should be met in the online store prior to download, and after installation “should never be more than two taps away.” As a general rule, this means menu functionality should include a “Privacy” or “Data Protection” option that links to the relevant policy.

The WP29 recommends the use of “layered” privacy notices in the online context, which should allow the data subject to navigate to whichever part of the privacy statement they wish to access without being required to scroll through large amounts of text. An effective layered notice is not simply a group of nested webpages — the design and layout of the first layer “should be such that the data subject has a clear overview of the information available to them” and need only expand sections for greater detail. Organizations should take care to avoid providing conflicting information within different layers of a policy. Microsoft’s privacy statement is a good example of a layered privacy notice.

The U.K. Information Commissioner’s Office also provides guidance on how to effectively structure a privacy notice. The ICO reiterates the points that privacy notices should include the identity of the controller, the intended use of the personal data being collected, and the identity of any parties with whom the data will be shared. It’s also wise to prominently identify and provide contact information for the organization’s DPO (or whoever handles subject access requests if you don’t have a DPO).

Alternatives to Layered Notices                      

The WP29 suggests several methods of providing transparency information in lieu of or in addition to a layered privacy notice. These include “just-in-time” push notices, or “pull” notices such as permission management interfaces and “learn more” tutorial options. A “just-in-time” notice will provide specific privacy information when it is most relevant to the data subject — for example, during an online purchase a pop-up next to a field requesting the purchaser’s telephone number might explain that the information is only being collected concerning contact related to the purchase and will only be disclosed to the relevant delivery service.

For organizations supplying services that span multiple devices, a “privacy dashboard” that allows data subjects to access and control the use of their personal data in multiple contexts may be appropriate.

Transparency must always be based on the circumstances of the data collection and processing; although the WP29’s position favors electronic privacy notices for data controllers with a digital or online presence, other formats of disclosure may sometimes be required. Alternatives may include hard copy notices with written explanations or notices included in leaflets, infographics or flowcharts for contracts concluded via post; oral explanations provided via telephone either by a real person or automated system that includes options to access more detailed information; icons, voice alerts, QR codes, SMS messages, or written information included on IoT devices; or visible, real-world signage or newspaper and media notices for real-world recording by CCTV or drone.

Special requirements attach to any processing that qualifies as automated decision-making under Article 22(1). The Working Party has issued guidance that addresses this situation. Broadly, organizations utilizing automated decision-making are obligated to inform data subjects that it is occurring, and “find simple ways to tell the data subject about the rationale behind, or the criteria relied on in reaching the decision.” The Working Party suggests that disclosures should focus on “real, tangible examples of the type of possible effects” of the automated processing. For instance, if a data subject’s age would put them in a specific category for marketing materials, the organization should explain that providing their age will expose them to specific and targeted marketing materials.

Although Recital 60 allows for the use of standardized icons as part of an organization’s transparency disclosures, the use of such icons “should not simply replace information necessary for the exercise of a data subject’s rights.” Icons that are presented electronically should be machine-readable, although the use of icons may be appropriate in other contexts. Examples might include physical paperwork, the exterior of IoT devices or device packaging, or public notices concerning Wi-Fi tracing or CCTV recording. Any use of icons for transparency purposes is dependent on forthcoming decisions by the European Commission standardizing their meaning and permissible use.

Conclusion 

Transparency is one of the central principles of the GDPR. Companies must avoid simply “checking the boxes” regarding the specific disclosures mandated in Articles 13 and 14. Transparency compliance requires that companies not only ensure all the mandated information is included, but that it is presented in a readable, comprehensible format. Ultimately, when meeting transparency obligations, companies should remember that the base-line goal of the GDPR is to provide each data subject necessary information about any processing of his or her personal data and what his or her rights are related to that processing so he or she can determine whether he or she wishes to exercise those rights.

Photo credit: Joe Shlabotnik Notice via photopin (license)

Author
Headshot Lee Matheson, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP IAPP Member Contributor
Tags
Privacy Law
Privacy Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
Related Stories
Tags
Privacy Law
Privacy Operations Management
Recent Comments