GDPR: Getting Data Protection Right (Part 2 - Transparency)
This is Part Two in Mills & Reeve’s series of blogs about Getting Data Protection Right. In Part One we looked at lawful processing, and in this Part Two we focus on transparency.
The GDPR is designed to ensure that organisations are transparent in their processing activities and when they communicate with data subjects (individuals). Transparency is now embedded as a key principle of the GDPR.
The GDPR particularly emphasises the need for transparency in privacy notices, and also when communicating with data subjects in relation to their rights or data breaches. Such communications should be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The requirements are even stronger if the information is addressed to a child.
The GDPR also emphasises the need for organisations to make people aware of the “risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing”.
Practical steps to take now
Consider how the transparency requirement will affect your privacy notices:
- Are they easily accessible and not buried in longer terms and conditions?
- If the notice is “layered” e.g. via “click through” headings, is the most intrusive and surprising processing apparent from the first layer? Is it clear from the headings where the rest of the information can be reached?
- Is the language clear and concise? Are the fonts and colours easily legible?
- Will the notices be intelligible to the likely audience (e.g. consider children, people with disabilities)?
- Do they make clear what the most important risks or most intrusive processing activities are?
- Are the notices appropriate to the type of activity or technology? A notice that only appears on a website may not be appropriate for CCTV monitoring for example.
- Will the notices be reviewed at appropriate intervals?
- How will people be notified of changes so that they can exercise their rights before the change comes into effect?
You should also consider how the transparency obligations will affect your other communications with individuals.
At Mills & Reeve we offer a range of products and services relating to GDPR-readiness and data protection – to find out more please contact one of our data protection experts Paul Knight, Sarah Whyman or Edward Hadcock.