The Information Commissioner’s Office has updated the section in the GDPR on the individual’s Right to be Informed about the collection and use of their personal data.
Let’s take a look at what’s new.
What is the Right to be Informed under the GDPR?
So we all know by now that it’s transparency that’s at the heart of GDPR. Allow individuals access to the deepest, darkest details of the personal data we hold on them, be clear about how it is used, and give back control. Now the GDPR goes deeper into that promise, with the Right to be Informed.
In Articles 13 and 14 of the GDPR, you will find the specifics of what individuals should be informed about – referred to by the Information Commissioner’s Office (ICO) as Privacy Information. Depending on how you obtained the data in the first place (directly from the individual or via another third party source) will determine what you need to share.
What information do you need to share?
|The information you should provide||Personal data obtained from individuals||Personal data obtained from other sources|
|The organisation’s name and contact details||✓||✓|
|The organisation representative’s contact details||✓||✓|
|The Data Protection Officer’s (DPO) name and contact details||✓||✓|
|What you plan to do with the data you are processing||✓||✓|
|Do you have a lawful basis for processing the personal data?||✓||✓|
|Do you have a legitimate interest for processing the personal data?||✓||✓|
|The categories of personal data obtained||✓|
|The recipients or categories of recipients of the personal data||✓||✓|
|The details of any transfers of the personal data to any third countries or international organisations||✓||✓|
|How long you plan to retain the personal data||✓||✓|
|The rights available to individuals in respect of the processing||✓||✓|
|The right to withdraw consent||✓||✓|
|The right to lodge a complaint with a supervisory authority||✓||✓|
|The source of the personal data||✓|
|The details of whether individuals are under a statutory or contractual obligation to provide the personal data||✓|
|The details of the existence of automated decision-making, including profiling||✓||✓|
How should you provide this Privacy Information to individuals under the GDPR?
The advice here is to consider the context of the way the data was collected in the first instance, and where possible use the same medium to communicate Privacy Information. Above all, it’s important to keep it clear and simple and to use language that the target audience would understand.
For example, if using mobile and smart devices, you could utilise pop-ups, voice alerts and device gestures. Additionally, graphics and icons can go a long way in communicating this information in a simple and intuitive way.
The ICO also refers to a ‘just-in-time notice’ where relevant and focussed information is presented to the user at the time of personal data collection or when they decide to give consent. You could also use the layered approach, similar to this mobile device image. Key and concise points are listed, with additional layers or links to more detailed information elsewhere.
The most common way of allowing individuals to access and control how their personal data is used is to use preference management tools or dashboard areas on a website.
Time is of the essence when providing Privacy Information to individuals
As we have stated above, one of the requirements when collecting personal data is to ensure that the individual has access to the privacy information at that moment. If you have obtained their personal data from another third party source, then you have other requirements to follow:
- provide the individual with the privacy information within one month;
- if you are using the data to make contact with the individual, you should inform them of those details on the first communication; or
- if disclosure to someone else in likely, inform them when the data is disclosed at the latest.
However, in the instance of obtaining data from another source, the GDPR does not require you to tell individuals anything they already know. This means that providing privacy information is not required if:
- the individual already has the information;
- it is impossible to reach them;
- it would involve disproportionate effort;
- it would impair the objectives of processing;
- the personal data collection was required by law; or
- you are subject to professional secrecy regulated by law.