• by Ray Schultz , Columnist, January 16, 2018

Remember the old saying “Clear water hides nothing?” That’s the guiding principle of the EU’s General Data Protection Regulation (GDPR) rules on transparency.

Companies have to tell consumers about all the data they hold on them, how it is being used, who has access to it and how they can opt out. And it has to be done with a level of detail that we’ve never seen in the U.S.

The GDPR doesn’t define “transparency” per se, but the Data Protection Working Party’s new paper on the subject does provide some guidelines on how to write a statement on privay and data:

• It must be concise, transparent, intelligible and easy accessible
• Clear and plain language must be used 
• It must be in writing, “or any other means, including where appropriate, by electronic means" 
• When requested by the data subject, it may be provided orally, and it must be provided free of charge

What do they mean by “easily accessible?” This specifies that the data subject should not have to seek out the information.

Rather, the details should provided directly by “signposting” it, or as an answer to a question in these formats: 

• In an online layered privacy statement/notice
• FAQs
• Contextual pop-ups that appear when a data subject fills in an online form
• In an interactive digital context through a chatbot interface

Don’t think you can fill your data statements with weasel words or legal mumbo-jumbo.

Let’s say you use a phrase like “we may use your personal data to offer personalized services.”

That statement is too vague. The advisory states that “language qualifiers such as ‘may,’ ‘might,’ ‘some,’ ‘often’ and ‘possible’ should be avoided.”

In addition, the paper urges you to "use bullet points and indents to signal hierarchical relationships, and that language should be in the active rather than the passive form. "Also, avoid over legal legalistic or technical terms.

Are you marketing to children? Use the appropriate “vocabulary, tone and style.” And make sure your privacy statements are handicapped accessible.

Seem strange? If the firm’s goods and services are “available of, by (or targeted at) other vulnerable members of society, including people with disabilities or people who may have difficulties accessing information, the vulnerabilities of such data subjects should be taken into account,” it says.

All well and good. But just what do you have to be transparent about?  Under Articles 13 and 14 of the GRPD, you have to specify (and we quote):

• The identity and contact details of the controller and/or their representative
• Contact details for the data protection officer where applicable
• The purposes and legal basis for the processing
• Where legitimate interests are the legal basis for the processing, (specify) the legitimate interests pursued by the data controller or a third party
• Categories of personal data concerned
• Recipients (or categories of recipients) of the personal data
• Details of transfers to third countries, the fact of same and the details of the relevant safeguards
• The storage period (or if not possible, criteria used to determine that period)
• The rights of the data subject to access; rectification; erasure; restriction on processing; objection to processing and portability
• Where processing is based on consent t(or explicit consent), the right to withdraw consent at any time
• The right to lodge a complaint with a supervisory authority
• Whether there is a statutory or contractual requirement to provide the information or whether it is necessary to enter into a contract or whether there is an obligation to provide the information and the possible consequences of failure
• The source that the personal data originate from, and if applicable, whether it came from a publicly accessible source. 
• The existence of automated decision-making including profiling and, if applicable, meaningful information about the logic used and the significance and envisaged consequences of such processing for the data subject

Sounds like a strong dose, doesn’t it? Get used to it: it will be the prevailing rule for anyone who holds data on European citizens on May 25.