Remember the old saying “Clear water hides nothing?” That’s the guiding principle of the EU’s General Data Protection Regulation (GDPR) rules on transparency.
Companies have to tell consumers about all the data they hold on them, how it is being used, who has access to it and how they can opt out. And it has to be done with a level of detail that we’ve never seen in the U.S.
The GDPR doesn’t define “transparency” per se, but the Data Protection Working Party’s new paper on the subject does provide some guidelines on how to write a statement on privay and data:
advertisement
advertisement
What do they mean by “easily accessible?” This specifies that the data subject should not have to seek out the information.
Rather, the details should provided directly by “signposting” it, or as an answer to a question in these formats:
Don’t think you can fill your data statements with weasel words or legal mumbo-jumbo.
Let’s say you use a phrase like “we may use your personal data to offer personalized services.”
That statement is too vague. The advisory states that “language qualifiers such as ‘may,’ ‘might,’ ‘some,’ ‘often’ and ‘possible’ should be avoided.”
In addition, the paper urges you to "use bullet points and indents to signal hierarchical relationships, and that language should be in the active rather than the passive form. "Also, avoid over legal legalistic or technical terms.
Are you marketing to children? Use the appropriate “vocabulary, tone and style.” And make sure your privacy statements are handicapped accessible.
Seem strange? If the firm’s goods and services are “available of, by (or targeted at) other vulnerable members of society, including people with disabilities or people who may have difficulties accessing information, the vulnerabilities of such data subjects should be taken into account,” it says.
All well and good. But just what do you have to be transparent about? Under Articles 13 and 14 of the GRPD, you have to specify (and we quote):
Sounds like a strong dose, doesn’t it? Get used to it: it will be the prevailing rule for anyone who holds data on European citizens on May 25.