UK GDPR - Back to Principles: Transparency

Under the UK GDPR, one of the key principles is transparency and organisations are under a clear legal obligation to inform data subjects about what they do with individuals’ personal data: what they hold, how they use it, how long they hold it for, etc. This transparency is typically facilitated by the use of privacy notices and while the content of these is pretty much set out by the UK GDPR, it is important to consider issues beyond just content.  Presentation and timing of privacy notices is also key.  There is no one size fits all, and privacy by design necessitates organisations to consider these issues within the context of their own processing activities.

January seems a fitting time to reflect on your organisation’s compliance framework and identify a plan for the coming year, part of which will likely involve ensuring transparency requirements are being met and any current privacy notices are appropriate.  This blog will guide organisations through best practices for drafting clear and compliant privacy information. Whether your organisation is a small business that is just beginning to navigate data protection compliance or a large and established business refining its data protection processes, understanding the requirements for transparency is essential to building trust with data subjects and avoiding any costly missteps.

Privacy Notices: What are they?

A privacy notice is a mechanism for organisations to inform data subjects of how their personal data will be handled, and their rights they have around this handling. Transparency (a key data protection principle under the UK GDPR) and data subjects’ right to be informed underpin the obligation for organisations to communicate effectively with data subjects about processing and privacy notices are a tool used to achieve this. 

Depending on your organisation’s operations, you may want to provide more than one privacy notice to capture the different types of data subjects the organisation processes information about. This helps keeping the privacy notice clear and focused for the relevant data subject. For example, an organisation may wish to have a separate privacy notice for applicants, staff, customers etc. Consider the categories of data subjects you are processing personal data about and ensure a targeted privacy notice is provided for them. 

What you need to Include: the Legal Requirements

What your organisation needs to include in its privacy notice will vary depending on whether it collects personal data directly from data subjects or indirectly from other sources. Direct collection includes things such as collecting data from individuals when they fill out a form, sign up for a service, etc. Indirect collection happens when, for example, data is obtained from social media, public records, recruiters, or third party business partners.

Direct Collection: Information Required and Timing of Notice

When data is collected directly from the individual, Article 13 of the UK GDPR specifies that a privacy notice must include the following information:

1. Identity and Contact Details of the Controller:
   Clearly identify the organisation and provide contact details for queries (e.g. Data Protection Officer).
2. Purposes of Processing:
   Explain why personal data is being collected and what the legal basis for processing is. If the legal basis is legitimate interest, be sure to explain what the legitimate interest is.
3. Third-Party Sharing:
   Disclose whether personal data will be shared with other organizations. This would include third parties that are also controllers or processors. Remember to consider your suppliers that may provide cloud based services which involves processing data on your behalf e.g. HR platforms; payroll systems.  Also consider if you need to share within your group or whether it would be appropriate to square off any potential sharing of personal data in the event of an asset sale or corporate restructure
   If personal data will be shared outside of the UK, highlight any safeguards in place, such as Standard Contractual Clauses (SCCs).
4. Retention
   Set out how long your organisation will retain the personal data for, or any criteria used to determine that period.
5. Rights of Data Subjects:
   Detail individuals’ rights and provide instructions for exercising them (e.g., contacting the DPO or submitting a Subject Access Request).
   If you are relying on consent, let data subjects know they can withdraw consent at any time and how they can do this.  Inform them that withdrawing consent will not affect the lawfulness of processing based on consent before the withdrawal.
   If you are relying on contract or statutory requirement, let people know the consequence of failure to provide the information e.g. you cannot proceed to offer employment.
6. Automated Decision-Making and Profiling:
   If applicable, explain any automated decision-making processes and their potential impact on individuals.
7. Complaints Mechanism:
   Provide details of how individuals can lodge complaints, including contact information for the Information Commissioner’s Office (ICO).

When data is collected directly, then this information must be provided at the point of data collection.

Indirect Collection: Information Required and Timing of Notice

When data is collected indirectly from sources other than the individual, Article 14 of the UK GDPR requires privacy notices to include the following:

1. All of the information as required under Article 13 (where relevant)
2. Categories of Personal Data:
   Specify the types of data obtained (e.g., name, email, employment history).
3. Data sources:
   Indicate where the data came from, including whether it was sourced from publicly available information or a third party.

When data is collected indirectly, then this information must be provided either:

1. At the very latest, within one month of data collection;
2. At the point of first communication with the data subject; or
3. Before disclosing the data to a third party.

Exceptions to the provision of a privacy notice where information is collected indirectly would be where the (a) the data subject already has this information; (b) the provision of such information proves impossible or would involve a disproportionate effort; (c) obtaining or disclosing is expressly laid down by applicable law; or (d) where the personal data must remain confidential subject to an obligation of professional secrecy. 

The Transparency Requirements

In addition to the prescriptive information requirements listed under the UK GDPR, privacy notices must also uphold the transparency principle. This means that they must be written in plain, clear and concise language so they are easily read and widely understood. In this respect, we recommend considering the following: 

1. Avoid legalese: Simplify complex legal or technical terms. Include short, plain-English definitions for essential terms such as “controller”, “lawful basis”, etc.
2. Multiple Channels: If your organisation uses multiple channels to engage with clients or customers (e.g. a website, an app, social media), ensure that privacy notices are easily accessible at all these points.
3. Special considerations: For example, ensuring that your privacy notice references the cookies used on your website, or signposts a separate cookie policy available for individuals to access. 

In terms of presenting the information, the ICO also recommends not always adopting a single privacy notice or page on your website. The ICO recommends considering if there are better ways to communicate the information where appropriate such as taking what it calls “a blended approach” to the provision of privacy information to data subjects. Information can be provided from a variety of ways:

1. Layered Notices: Present key privacy information upfront with links or expandable sections for more detail, ensuring clarity without overwhelming users.
2. Dashboards: Centralise data preferences and settings, making it easy for individuals to manage permissions, update preferences, or access their data.
3. Just-in-time notices: Provide relevant privacy information at the moment data is collected, such as when filling out forms or enabling location services.
4. Icons: Use recognisable icons (such as a padlock for secure data) to visually convey privacy concepts quickly and effectively.
5. Mobile and smart device functionalities: Take advantage of features such as push notifications and device settings to provide easy access to privacy information updates.

Organisations should consider the medium it is using to collect personal data from and adopt that same medium to provide the privacy information to the extent possible. 

Regular Monitoring

It is also important to regularly review your privacy notices to reflect legal  or organisational changes that impact your processing activity. As a minimum, we would recommend reviewing your privacy notices annually.  If there is a material change to your privacy notice as a result of your review, an updated privacy notice will require to be communicated to the relevant data subjects so that they are aware of the changes.  

If you have any questions regarding drafting and tailoring privacy notices to suit your organisations’ activities, please contact our specialist Data Protection Team on  03330 430350.