GDPR puts a strong emphasis on transparency and as a result, unlike current law, these obligations are now listed as an individual right.
As well as setting out what information organisations have to provide to individuals, GDPR sets out requirements for how to communicate that information. Specifically, organisations must provide information:
- in a way that is clear, transparent, easy to understand and easily accessible;
- using clear and plain language;
- in writing, or by other means, including, where appropriate, electronically.
GDPR is also clear that the need to communicate in ‘clear and plain language’ is particularly important for any information aimed specifically at children. Some organisations are therefore looking at whether they need to rewrite their privacy information so it can be understood by children, or even to provide a separate version.
So what do organisations now need to tell you?
GDPR distinguishes between where you get personal information directly from a person and where you get it from elsewhere in terms of what you need to tell people. However, in reality, it’s broadly all the same information apart from one or two things. However organisations decide to tell you, they should make you aware of the following.
- Who they are and how to contact them, including how to contact their data protection officer, if they have one.
- What personal information they collect from or about you, and what they do with it.
- Who or what types or organisations they share your personal information with, if any.
- How long they keep your personal information for, or the criteria they use to decide on that.
- If they intend to transfer your personal information to a country outside the EU, and how they make that transfer compliant.
- Whether they carry out any automated decision-making using your personal information, meaningful information about the logic involved, and the significance and consequences to you of this automated decision.
- The rights you have, including the right to complain to the data protection regulator.
- What lawful basis they are using. Where this is your consent, that you have the right to withdraw it at any time. Where it is in their legitimate business interests to use your personal information, what those interests are.
- When they get personal information directly from you: whether it’s mandatory or voluntary to provide it (to get the product/service), and the possible consequences if you don’t.
- When they get personal information about you from somewhere else: where they got it from and whether it came from publicly accessible sources.
When do organisations need to give you this information?
If they are getting the personal information from you directly: at the same time.
Rather than giving you a lot of information to read, organisations should get creative and tell you what you need to know, when you need to know it, and give you the ability to find out more details if you want to. Consumers will have more meaningful interactions with organisations and better relationships if they have the most relevant information at the right time.
If the organisation gets the personal information from elsewhere: within a reasonable period of time afterwards, but within one month at the latest.
If they intend to use the personal information they collected to communicate with you: in that first communication at the latest.
If they intend to disclose the personal information to another person or organisation: at the time of that first disclosure, at the latest.
Do organisations always need to provide this information?
There are some scenarios where organisations don’t have to provide you with the information. Regardless of where they get the personal information from, they don’t need to provide you with any information that you already have.
Where an organisation gets your information from somewhere else, there are some specific circumstances where they don’t need to provide you all the information. These are things like where it is impossible or extremely difficult, such as where they have no contact details for you. In these cases the organisation instead has to take other appropriate steps. This could be by making the information publicly available, such as in a privacy notice.
The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains the exemptions in current law that mean that an organisation may not have to provide you with some information in certain circumstances.
So what does all this mean?
As organisations work to comply with GDPR you may find they send you or alert you to updated privacy notices setting out how they collect and use your personal information. Many people don’t bother to read privacy notices, and you may think that a lot of the information provided is not interesting or relevant to you. However, organisations should be making the information clearer and it should be easier to find details that do interest you. Understanding how organisations use your personal information helps you decide whether to trust them with it.
What is Yoti doing?
Transparency is one of our core business principles, so we try very hard to make our privacy information as plain English as possible, so everyone can understand it. We are though also looking at testing it with under 18s and discussing whether we can simplify it further or if we need a children’s version.
You can contact our Data Protection Officer on firstname.lastname@example.org.