Remember the old saying “Clear water hides nothing?” That’s the guiding principle of the EU’s General Data Protection Regulation (GDPR) rules on transparency.
Companies have to tell consumers about all the data they hold on them, how it is being used, who has access to it and how they can opt out. And it has to be done with a level of detail that
we’ve never seen in the U.S.
The GDPR doesn’t define “transparency” per se, but the Data Protection Working Party’s new paper on the subject does provide some guidelines on how to write a statement on privay and data:
- It must be concise, transparent, intelligible and easy accessible
- Clear and plain language must be used
- It must be in writing, “or any other means, including where
appropriate, by electronic means"
- When requested by the data subject, it may be provided orally, and it must be provided free of charge
What do they mean by
“easily accessible?” This specifies that the data subject should not have to seek out the information.
Rather, the details should provided directly by “signposting” it,
or as an answer to a question in these formats:
- In an online layered privacy statement/notice
- FAQs
- Contextual pop-ups that appear when a data subject fills in
an online form
- In an interactive digital context through a chatbot interface
Don’t think you can fill your data statements with weasel words or legal mumbo-jumbo.
Let’s say you use a phrase like “we may use your personal data to offer personalized services.”
That statement is too vague. The advisory states that “language
qualifiers such as ‘may,’ ‘might,’ ‘some,’ ‘often’ and ‘possible’ should be avoided.”
In addition, the paper urges you to "use
bullet points and indents to signal hierarchical relationships, and that language should be in the active rather than the passive form. "Also, avoid over legal legalistic or technical terms.
Are you marketing to children? Use the appropriate “vocabulary, tone and style.” And make sure your privacy statements are handicapped accessible.
Seem strange? If the
firm’s goods and services are “available of, by (or targeted at) other vulnerable members of society, including people with disabilities or people who may have difficulties accessing
information, the vulnerabilities of such data subjects should be taken into account,” it says.
All well and good. But just what do you have to be transparent about? Under Articles
13 and 14 of the GRPD, you have to specify (and we quote):
- The identity and contact details of the controller and/or their representative
- Contact details for the data
protection officer where applicable
- The purposes and legal basis for the processing
- Where legitimate interests are the legal basis for the processing, (specify) the legitimate
interests pursued by the data controller or a third party
- Categories of personal data concerned
- Recipients (or categories of recipients) of the personal data
- Details of
transfers to third countries, the fact of same and the details of the relevant safeguards
- The storage period (or if not possible, criteria used to determine that period)
- The rights
of the data subject to access; rectification; erasure; restriction on processing; objection to processing and portability
- Where processing is based on consent t(or explicit consent), the
right to withdraw consent at any time
- The right to lodge a complaint with a supervisory authority
- Whether there is a statutory or contractual requirement to provide the information
or whether it is necessary to enter into a contract or whether there is an obligation to provide the information and the possible consequences of failure
- The source that the personal data
originate from, and if applicable, whether it came from a publicly accessible source.
- The existence of automated decision-making including profiling and, if applicable, meaningful
information about the logic used and the significance and envisaged consequences of such processing for the data subject
Sounds like a strong dose, doesn’t it? Get used to it: it
will be the prevailing rule for anyone who holds data on European citizens on May 25.