What’s new under the GDPR?
In more detail
Is there a big change?
The right to be informed is an integral element of transparency under the GDPR. It is about being clear and open with individuals about how you collect and use their personal data. Although the term ‘transparency’ is not actually used in the Data Protection Act 1998 (1998 Act), it has always been an implicit requirement. It is closely linked with the fairness element of the first principle of the 1998 Act which, amongst other things, obliges you to give individuals certain information about how you intend to use their personal data.
The GDPR places a greater emphasis on transparency. Its importance is elevated by its explicit inclusion alongside lawfulness and fairness in Article 5(1)(a), which says that personal data shall be:
“processed lawfully, fairly and in a transparent manner in relation to the data subject…”
The increased prominence of transparency is reflected by more specific provisions on the types of information that you need to provide individuals with. As with the 1998 Act, you must still tell individuals who you are and what you plan to do with their personal data. In addition the GDPR builds on this with requirements to provide additional information such as the lawful basis for the processing, the recipients of the personal data and the relevant retention periods.
Further reading – ICO guidance
What else is new?
The right to be informed is not only about the detail and content of the information you provide to individuals, but also about the quality of that information and how you provide it. The GDPR raises the bar in this regard. Article 12(1) says that such information must be provided in:
“…a concise, transparent, intelligible and easily accessible form, using clear and plain language…”
You won’t be able to meet these requirements simply by listing all the necessary information in a lengthy and legalistic notice. You must take appropriate measures to provide the information in such a way that the intended audience can easily read and understand it.
In order to achieve this the GDPR says that, as well as writing, you can use other techniques to provide this information to individuals. For instance, visualisation tools and standardised icons to help give individuals a meaningful overview of how you use their personal data.
Currently, the 1998 Act allows you to make privacy information “readily available”, but under the GDPR you must actively provide people with the information in a way that is easy for them to access. Putting a notice on your website without letting people know it’s there is not good enough.
What do we need to do?
You should review the ways you currently provide people with privacy information to check that the content, quality and provision of the information meet the standards set by the GDPR. If this is not the case, you must update your approach accordingly and ensure that anyone you obtain personal data about from 25 May 2018 is provided with GDPR-compliant information.