The Information Commissioner’s Office has updated the section in the GDPR on the individual’s Right to be Informed about the collection and use of their personal data.
Let’s take a look at what’s new.
So we all know by now that it’s transparency that’s at the heart of GDPR. Allow individuals access to the deepest, darkest details of the personal data we hold on them, be clear about how it is used, and give back control. Now the GDPR goes deeper into that promise, with the Right to be Informed.
In Articles 13 and 14 of the GDPR, you will find the specifics of what individuals should be informed about – referred to by the Information Commissioner’s Office (ICO) as Privacy Information. Depending on how you obtained the data in the first place (directly from the individual or via another third party source) will determine what you need to share.
| The information you should provide | Personal data obtained from individuals | Personal data obtained from other sources |
| The organisation’s name and contact details | ✓ | ✓ |
| The organisation representative’s contact details | ✓ | ✓ |
| The Data Protection Officer’s (DPO) name and contact details | ✓ | ✓ |
| What you plan to do with the data you are processing | ✓ | ✓ |
| Do you have a lawful basis for processing the personal data? | ✓ | ✓ |
| Do you have a legitimate interest for processing the personal data? | ✓ | ✓ |
| The categories of personal data obtained | ✓ | |
| The recipients or categories of recipients of the personal data | ✓ | ✓ |
| The details of any transfers of the personal data to any third countries or international organisations | ✓ | ✓ |
| How long you plan to retain the personal data | ✓ | ✓ |
| The rights available to individuals in respect of the processing | ✓ | ✓ |
| The right to withdraw consent | ✓ | ✓ |
| The right to lodge a complaint with a supervisory authority | ✓ | ✓ |
| The source of the personal data | ✓ | |
| The details of whether individuals are under a statutory or contractual obligation to provide the personal data | ✓ | |
| The details of the existence of automated decision-making, including profiling | ✓ | ✓ |
The advice here is to consider the context of the way the data was collected in the first instance, and where possible use the same medium to communicate Privacy Information. Above all, it’s important to keep it clear and simple and to use language that the target audience would understand.
For example, if using mobile and smart devices, you could utilise pop-ups, voice alerts and device gestures. Additionally, graphics and icons can go a long way in communicating this information in a simple and intuitive way.
The ICO also refers to a ‘just-in-time notice’ where relevant and focussed information is presented to the user at the time of personal data collection or when they decide to give consent. You could also use the layered approach, similar to this mobile device image. Key and concise points are listed, with additional layers or links to more detailed information elsewhere.
The most common way of allowing individuals to access and control how their personal data is used is to use preference management tools or dashboard areas on a website.
As we have stated above, one of the requirements when collecting personal data is to ensure that the individual has access to the privacy information at that moment. If you have obtained their personal data from another third party source, then you have other requirements to follow:
However, in the instance of obtaining data from another source, the GDPR does not require you to tell individuals anything they already know. This means that providing privacy information is not required if:
Get this requirement right and not only will you comply with many aspects of the GDPR, but it will also help you to demonstrate to a more engaged customer base that you can be trusted with their personal data.
ISMS.online features a Personal Data Inventory & Records Processing Tracker to help you do just that.
The information in this blog is for general guidance and does not constitute legal advice.
100% of our users achieve ISO 27001 certification first time