Right to be informed

You are here:
Estimated reading time: 3 min
Information Commissioner’s Office, “Guide to the GDPR”, retrieved on 17th May 2018, licensed under the Open Government Licence.

At a glance

  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
  • It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
  • User testing is a good way to get feedback on how effective the delivery of your privacy information is.
  • You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
  • Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.

Checklists

What to provide

We provide individuals with all the following privacy information:

  • The name and contact details of our organisation.
  • The name and contact details of our representative (if applicable).
  • The contact details of our data protection officer (if applicable).
  • The purposes of the processing.
  • The lawful basis for the processing.
  • The legitimate interests for the processing (if applicable).
  • The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
  • The recipients or categories of recipients of the personal data.
  • The details of transfers of the personal data to any third countries or international organisations (if applicable).
  • The retention periods for the personal data.
  • The rights available to individuals in respect of the processing.
  • The right to withdraw consent (if applicable).
  • The right to lodge a complaint with a supervisory authority.
  • The source of the personal data (if the personal data is not obtained from the individual it relates to).
  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
  • The details of the existence of automated decision-making, including profiling (if applicable).

When to provide it

  • We provide individuals with privacy information at the time we collect their personal data from them.

If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:

  • within a reasonable of period of obtaining the personal data and no later than one month;
  • if we plan to communicate with the individual, at the latest, when the first communication takes place; or
  • if we plan to disclose the data to someone else, at the latest, when the data is disclosed.

How to provide it

We provide the information in a way that is:

  • concise;
  • transparent;
  • intelligible;
  • easily accessible; and
  • uses clear and plain language.

Changes to the information

  • We regularly review and, where necessary, update our privacy information.
  • If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.

Best practice – drafting the information

  • We undertake an information audit to find out what personal data we hold and what we do with it.
  • We put ourselves in the position of the people we’re collecting information about.
  • We carry out user testing to evaluate how effective our privacy information is.

Best practice – delivering the information

When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:

  • a layered approach;
  • dashboards;
  • just-in-time notices;
  • icons; and
  • mobile and smart device functionalities.

In brief

  • What’s new under the GDPR?

    The GDPR is more specific about the information you need to provide to people about what you do with their personal data.

    You must actively provide this information to individuals in a way that is easy to access, read and understand.

    You should review your current approach for providing privacy information to check it meets the standards of the GDPR.

  • What is the right to be informed and why is it important?

    The right to be informed covers some of the key transparency requirements of the GDPR. It is about providing people with clear and concise information about what you do with their personal data.

    Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about. We call this ‘privacy information’.

    Using an effective approach to provide people with privacy information can help you to comply with other aspects of the GDPR, foster trust with individuals and obtain more useful information from them.

    Getting this wrong can leave you open to fines and lead to reputational damage.

  • What privacy information should we provide to individuals?

    The table below summarises the information that you must provide. What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to or obtain it from another source.

    What information do we need to provide? Personal data collected from individuals Personal data obtained from other sources
    The name and contact details of your organisation
    The name and contact details of your representative
    The contact details of your data protection officer
    The purposes of the processing ✓ 
    The lawful basis for the processing
    The legitimate interests for the processing
    The categories of personal data obtained
    The recipients or categories of recipients of the personal data ✓ 
    The details of transfers of the personal data to any third countries or international organisations ✓  ✓ 
    The retention periods for the personal data ✓ 
    The rights available to individuals in respect of the processing ✓ 
    The right to withdraw consent
    The right to lodge a complaint with a supervisory authority ✓ 
    The source of the personal data
    The details of whether individuals are under a statutory or contractual obligation to provide the personal data
    The details of the existence of automated decision-making, including profiling
  • When should we provide privacy information to individuals?

    When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data.

    When you obtain personal data from a source other than the individual it relates to, you need to provide the individual with privacy information:

    • within a reasonable of period of obtaining the personal data and no later than one month;
    • if the data is used to communicate with the individual, at the latest, when the first communication takes place; or
    • if disclosure to someone else is envisaged, at the latest, when the data is disclosed.

    You must actively provide privacy information to individuals. You can meet this requirement by putting the information on your website, but you must make individuals aware of it and give them an easy way to access it.

    When collecting personal data from individuals, you do not need to provide them with any information that they already have.

    When obtaining personal data from other sources, you do not need to provide individuals with privacy information if:

    • the individual already has the information;
    • providing the information to the individual would be impossible;
    • providing the information to the individual would involve a disproportionate effort;
    • providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing;
    • you are required by law to obtain or disclose the personal data; or
    • you are subject to an obligation of professional secrecy regulated by law that covers the personal data.
  • How should we draft our privacy information?

    An information audit or data mapping exercise can help you find out what personal data you hold and what you do with it.

    You should think about the intended audience for your privacy information and put yourself in their position.

    If you collect or obtain children’s personal data, you must take particular care to ensure that the information you provide them with is appropriately written, using clear and plain language.

    For all audiences, you must provide information to them in a way that is:

    • concise;
    • transparent;
    • intelligible;
    • easily accessible; and
    • uses clear and plain language.
  • How should we provide privacy information to individuals?

    There are a number of techniques you can use to provide people with privacy information. You can use:

    • A layered approach – short notices containing key privacy information that have additional layers of more detailed information.
    • Dashboards – preference management tools that inform people how their data is used and allow them to manage what happens with it.
    • Just-in-time notices – relevant and focused privacy information delivered at the time individual pieces of information about people are collected.
    • Icons – small, meaningful, symbols that indicate the existence of a particular type of data processing.
    • Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures.

    Consider the context in which you are collecting personal data. It is good practice to use the same medium you use to collect personal data to deliver privacy information.

    Taking a blended approach, using more than one of these techniques, is often the most effective way to provide privacy information.

  • Should we test, review and update our privacy information?

    It is good practice to carry out user testing on your draft privacy information to get feedback on how easy it is to access and understand.

    After it is finalised, undertake regular reviews to check it remains accurate and up to date.

    If you plan to use personal data for any new purposes, you must update your privacy information and proactively bring any changes to people’s attention.

No questions matching current filter
In more detail

We have published detailed guidance on the right to be informed.

In more detail – Article 29

The Article 29 Working Party (WP29) includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

WP29 has published draft guidelines on Transparency. These were subject to a consultation process and the final version is due to be adopted in April 2018.

Thank you for reading.

Was this article helpful?
Dislike 0
Views: 184