18 April, 2018
What is "transparency"?
Regardless of how your business uses personal data, you need to ensure that they stay on the right side of the transparency obligations under GDPR.
Under the GDPR, the first principle relating to processing of personal data is " lawfulness, fairness and transparency". The European Commission data protection working party (Art 29 WP) sees the transparency obligations beginning when personal data is first collected and continue "throughout the life cycle of processing". In practice this means transparency not only applies to the initial fair processing notice provided when personal data is first collected, but also when communicating with individuals about their rights and at key points during processing. For example, if there is a material change to how you process their personal data or if there is a data breach.
Transparency has always been central to EU's data protection regime (the GDPR being no exception).The Art 29 WP's guidelines highlight the link between transparency, fairness and the new principle of accountability and sees transparency as an "overarching obligation" applicable to three core aspects of compliant data protection practice:
- the provision of information to data subjects related to fair processing;
- how data controllers communicate with data subjects in relation to their rights under the GDPR; and
- how data controllers facilitate the exercise by data subjects of their rights.
At its essence, transparency is about telling data subjects what you use their personal data for, what their rights are over the personal data you use and how they can get in touch with you about their rights and how to exercise them.
Providing a Fair Processing Notice
One important way to achieve transparency is through your fair processing notice (FPN). The GDPR requires that FPNs are clear, intelligible and easily accessible.
(i) "Easily accessible" – FPNs should be easy for an individual to locate and clearly identified. For example, websites should provide a clearly visible FPN on each page using a commonly used term or icon ("Privacy Statement", "Privacy and Cookies", "Privacy" etc).
(ii) "clear and intelligible" – This is somewhat complicated by the extent of privacy information that you must now give to data subjects under the GDPR. This risks creating long complex FPNs that data subjects will not read and hurriedly scroll through to "accept". To date there has been no detailed guidance on how all the relevant and mandatory privacy information can best be presented. This means that businesses must find creative ways to give data subjects more information, yet still in a concise, clear and intelligible way.
Tips for structuring FPNs
Business are required to take "active steps" to provide FPNs. The Information Commissioner (the UK's data protection regulatory authority) has recommended the use of layered notices on mobile apps rather than providing a full notice which data subjects have to scroll through. Other suggestions, include "just in time" or "push notices", i.e. information being made available when it is relevant or "pull notices" which link data subjects through to more detailed information.
Tips for drafting FPNs
Qualifiers. FPNs should not use qualifying words which leave room for different interpretation. For example, words which create uncertainty such as "often", "possible", "may" and "might" should not be used.
Vague phrases. Certain phrases (commonly found in most current privacy notices) will not achieve the required standard. For example, "we may use your information to develop new services" is unclear around what the services are, what information is involved and how that information will be used to develop them.
Not only should you invest enough time on your FPNs to make sure that they describe clearly all your relevant processing activities, but you will also need to ensure that you implement the appropriate checks and balances to ensure that personal data is used in practice in the manner described to the data subject. This means if there are new processing activities which are not included in your FPNs, you will need to make additional notices or update current notices. Getting FPNs right are key to GDPR compliance and business should make sure that they are addressing these requirements prior to 25th May 2018.
Byte-sized news
Revised guidelines on BCRs. Article 29 Working Party (Art 29 WP), the European Commission's working party for data protection, has recently released revised guidelines on Binding Corporate Rules(BCRs) for data controllers.
Many international organisations use BCRs to facilitate intra-group transfers of personal data to entities located outside the EEA, in compliance with EU data protection regulations – these revised guidelines set out the elements that organisations should incorporate into their controller BCRs. In the guidelines, Art 29 WP reiterates the requirement that every entity acting as a data controller or "internal" processor must demonstrate compliance, and is clear that controller BCRs must fully specify and apply each of the GDPR's data protection principles.
ICO sets out three-part legitimate interests test. The Information Commissioners Office (ICO) has recently released a guide that clarifies when legitimate interests can be relied upon as a lawful basis for processing personal data. The guidance specifically sets out a three-part test, referred to by the ICO as a "Legitimate Interests Assessment" or "LIA", which is described by the ICO as a type of light-touch risk assessment. The first of the three tests is termed the purpose test and focuses on identifying the relevant legitimate interest; the second test examines whether the processing is necessary to help further the identified interest; and the final test balances the impact of processing against a data subject's overriding interests. According to the guidance, undertaking and recording LIAs should assist organisations in complying with their accountability and transparency requirements under the GDPR.
Changes to ePrivacy proposal. The Council of the EU has published a discussion paper which annexes amendments to the proposed ePrivacy Regulation. The amendments require software providers to ensure that their products periodically remind end-users of their privacy settings. They also clarify that additional consent will not be required, for example, to accept cookies that remember an end-user's input on online forms during a single web session, to verify an end-user's identity, or to fix security vulnerabilities.The proposal makes it clear that access to a website may be made conditional on the well-informed acceptance of a cookie. Further amendments include treating any end-users who are natural persons acting in a professional capacity as legal persons, and the requirement for every direct marketing communication to give its end-user the right to object to use of their contact details.
For further information, please contact:
David Futter, Partner, Ashurst david.futter@ashurst.com
