EPISODE 3 – Communicating Privacy Information
Any UK company which collected and /or process personal data has had an obligation under the Data Protection Act 1998 to provide people with privacy information, also known as a privacy notice. In this the third episode in our series we are going to be exploring these privacy notices and highlighting some of the changes which will be made when the European wide General Data Protection Regulations (GDPR) comes into force, on 25th May 2018.
The GDPR strengthens the protection afforded to EU citizens with regards to what happens with their data. The requirement to provide information to citizens is perhaps one of the less onerous of the requirements of the GDPR as the majority of companies will already have an existing privacy notice in place.
This requirement can be seen as an opportunity to revisit and update your existing privacy information as well as adopting best practices in regards to the way you tell your customers, partners and staff what it is that you will do with their personal information.
In the previous article in this series (See Episode 2) we talked about conducting an information audit. We said how the documentation produced would form the foundation for a lot of the GDPR compliance work that followed and the review and adjustment of privacy information is one such case.
The GDPR has enshrined in law a lot of the good practice that was promoted by the various EU country information commissioners. This aligns with the overall aim of the GDPR to promote transparency and fairness and the notion that this law represents an opportunity for businesses to build a closer and more trusting relationship with its customers.
At a base level the GDPR states that:
The controller shall take appropriate measures to provide […] information […] in a concise, transparent, intelligible and easily accessible form, using clear and plain language. GDPR Article 12 (1)
If we unpick this statement; we should ensure that our privacy information is distinct, easily found and not buried within a mass of text which relates to other terms and conditions of business.
We should ensure that the language that we use within the information is appropriate for the people who would need to read and understand the information.
This is a key point, should your business rely on consent as its basis for collecting and processing data?
So for example, the language we would use when providing privacy information to children, will be different to that used with adults.
We should be clear and upfront about what we intend to do with the data we have collected.
We should provide the privacy information in a variety of forms, and at different times within the data collection and business processing. Companies should consider a number of different ways of communicating this information and not rely solely on a single text heavy web page or paper document.
The GDPR also mandates the information that needs to be provided and there are slight differences dependent upon whether a business collects the data directly from the data subject, or receives the data from another party. Businesses should review their existing privacy information and ensure that the following information is contained within it:
- Identity and contact details of the Controller and Data Protection Officer.
- Purpose and legal basis for data processing.
- The legitimate interest of the controller (where applicable.)
- Any recipients of the personal data.
- Details of any transfers to third-parties and the safe-guards in-place.
- The retention period or criteria used to devise the retention period.
- The existence of the data subjects’ rights.
- The right to withdraw consent at any time (where relevant)
- The right to lodge a complaint to a supervisory authority.
- The consequences of not providing personal data if doing so is part of a statutory requirement, contract or obligation.
- The existence of automated decision making, the significance and consequences of it.
Points 6 to 11 must be provided “…at the time when personal data are obtained…”
Points 1 to 11 above and:
12. The categories of personal data collected.
13. The source the personal data originated from and whether the source is publicly accessible.
Points 1 to 13 must be provided “…within a reasonable period after obtaining the personal data, but at the latest within one month…”
Reviewing the above we can see that points 2, 3, 4, 6, & 12 could all be taken from the Information audit already undertaken.
There are a number of good practices that can be utilised to communicate the required information in a structured and accessible manner and companies are well advised to resist the temptation to ‘bury this information’. Both the EU and the Information Commissioner have indicated that they would view this as going against the principle of fair processing which is embedded within the GDPR.
One key question is; when should you actively provide and push privacy information and when it is acceptable to just make the information available?
One way to approach this would be to review the output of the information audit. Identify the data you collect and focus on the processing you undertake upon that data.
With that processing in mind ask yourself; Is it reasonable for our average customer/partner/staff member to expect us to use their data in this way?
Or the other way to put it; Would the average customer/partner/staff member be surprised or even object if they discovered that we did that with their data?
If there is a reasonable exception that you would undertake a certain process with the average customers data, then it is sufficient to have privacy information which is easily accessible. However, if the average customer would be surprised at the use of their data then there is a need to actively push privacy information to the customer and do so at the appropriate time.
For example; If I were to purchase insulation for my home. It is reasonable to expect the insulation company to visit my home and take measurements to supply me with a quotation and gauge how much material they will need. That is a reasonable and expected use of my data. However, if the insulation company then sells the data about my home to a 3rd party, which is an unexpected use of my data and so privacy information should be pushed to me at the appropriate time.
There are a number of best practices for companies to provide the relevant information at the appropriate time and we have listed some of them below.
When a user supplies personal data via a web form, text hints can be used to convey the reason for asking for a piece of information as the user enters each text box on the form.
Submission of form
At the point of submission of the form there should be a clear succinct synopsis of the privacy information. If the users consent is required then the reason for asking for consent and the reason for processing the data must be clearly displayed, with a clear option to opt-in or opt-out.
Some users will be happy to understand the use of their personal data at a high level, others will want more details. The use of layered privacy notices can satisfy both of these types of user.
Extension of services
Some companies provide a base level of service which can be enhanced. For example; basic and enhanced screening of DNA. Companies should provide the additional privacy information at the time the service is extended or enhanced.
In many cases companies may decide to process personal data in a manner which was not envisaged at the time of collection. In this case the privacy information should be updated and pushed to the data subjects prior to the new processing being undertaken.
Privacy dashboards provide a centralised area on a web site, usually within a customers’ account where data subjects can indicate their preferences with regards to opt-in or out of various uses of their personal data. These dashboards will also contain links to the various privacy information pages. For companies using SAP these dashboards are relatively straight forwards to construct using Fiori or UI5 and it is not difficult to envisage how they could also be used to fulfil some of the other requirements of the GDPR, specifically those around users’ rights.
We have listed some of the ways that companies can communicate privacy information, however businesses should not seek to implement just one of these methods but a combination of all of them. Both the GDPR and the Information Commissioners make reference to “Privacy Information” i.e. that information about the processing of personal data should be supplied in various forms (e.g. paper, video, speech) by various means (e.g. spoken, posted, display on webpage) and at appropriate times (e.g. before web form submission, when opening an account)
The requirement for a business to provide its customers, staff and partners with detailed information about how they collect and process personal data provides an opportunity for organisations to embrace transparency and ethical practices as a means of building trust and confidence with their customers, partners and staff. Distinguishing themselves from their competitors.
Your Journey to GDPR Compliance Series – Missed an Episode? Catch up on demand below:
Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed Group and a member of the International Association of Privacy Professionals. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.