GDPR Section Updates: Right to be Informed

Book a demo

Two coworkers discussing next to a laptop

The Information Commissioner’s Office has updated the section in the GDPR on the individual’s Right to be Informed about the collection and use of their personal data.

Let’s take a look at what’s new.

What is the Right to be Informed under the GDPR?

So we all know by now that it’s transparency that’s at the heart of GDPR. Allow individuals access to the deepest, darkest details of the personal data we hold on them, be clear about how it is used, and give back control. Now the GDPR goes deeper into that promise, with the Right to be Informed.

In Articles 13 and 14 of the GDPR, you will find the specifics of what individuals should be informed about – referred to by the Information Commissioner’s Office (ICO) as Privacy Information. Depending on how you obtained the data in the first place (directly from the individual or via another third party source) will determine what you need to share.

What information do you need to share?

The information you should provide Personal data obtained from individuals Personal data obtained from other sources
The organisation’s name and contact details
The organisation representative’s contact details
The Data Protection Officer’s (DPO) name and contact details
What you plan to do with the data you are processing
Do you have a lawful basis for processing the personal data?
Do you have a legitimate interest for processing the personal data?
The categories of personal data obtained
The recipients or categories of recipients of the personal data
The details of any transfers of the personal data to any third countries or international organisations
How long you plan to retain the personal data
The rights available to individuals in respect of the processing
The right to withdraw consent
The right to lodge a complaint with a supervisory authority
The source of the personal data
The details of whether individuals are under a statutory or contractual obligation to provide the personal data
The details of the existence of automated decision-making, including profiling
See how simple it is with ISMS.online

How should you provide this Privacy Information to individuals under the GDPR?

The advice here is to consider the context of the way the data was collected in the first instance, and where possible use the same medium to communicate Privacy Information. Above all, it’s important to keep it clear and simple and to use language that the target audience would understand.

For example, if using mobile and smart devices, you could utilise pop-ups, voice alerts and device gestures. Additionally, graphics and icons can go a long way in communicating this information in a simple and intuitive way.

The ICO also refers to a ‘just-in-time notice’ where relevant and focussed information is presented to the user at the time of personal data collection or when they decide to give consent. You could also use the layered approach, similar to this mobile device image. Key and concise points are listed, with additional layers or links to more detailed information elsewhere.

The most common way of allowing individuals to access and control how their personal data is used is to use preference management tools or dashboard areas on a website.

Time is of the essence when providing Privacy Information to individuals

As we have stated above, one of the requirements when collecting personal data is to ensure that the individual has access to the privacy information at that moment. If you have obtained their personal data from another third party source, then you have other requirements to follow:

  • provide the individual with the privacy information within one month;
  • if you are using the data to make contact with the individual, you should inform them of those details on the first communication; or
  • if disclosure to someone else in likely, inform them when the data is disclosed at the latest.

However, in the instance of obtaining data from another source, the GDPR does not require you to tell individuals anything they already know. This means that providing privacy information is not required if:

  • the individual already has the information;
  • it is impossible to reach them;
  • it would involve disproportionate effort;
  • it would impair the objectives of processing;
  • the personal data collection was required by law; or
  • you are subject to professional secrecy regulated by law.

Get this requirement right and not only will you comply with many aspects of the GDPR, but it will also help you to demonstrate to a more engaged customer base that you can be trusted with their personal data.

An efficient way to manage & categorise the personal data you store

ISMS.online features a Personal Data Inventory & Records Processing Tracker to help you do just that.

Not ready to get started? Subscribe to receive more articles like this

The information in this blog is for general guidance and does not constitute legal advice.

100% of our users achieve ISO 27001 certification first time

Start your journey today
See how we can help you

Streamline your workflow with our new Jira integration! Learn more here.